Abstract-In supervisory control theory, an issue that often arises in real industrial applications is the huge number of states for the supervisor, which requires a lot of memory. Another problem that is typically encountered for the users of supervisory synthesis tools is lack of information and unreadability of the supervisor. In this paper, we introduce a method to characterize a controllable and non-blocking supervisor directly on the modular automata (sub-plants and sub-specifications), by extracting some guard conditions from the synthesized supervisor and the synchronized automaton. Thus, the presented approach may potentially model a complex supervisor using a compact representation whilst not infringe the original modular structure. Furthermore, the guard conditions, which are generated from a set of states, may give the user of the synthesis procedure a better understanding of which states that were removed during the synthesis. In order to obtain more compact guard expressions, we include some unnecessary states (unreachable and extended forbidden states) in the set of states that will be used for guard generation. By exploiting this extra information, it is possible to reduce the logical expressions to more compact guard conditions.
I. INTRODUCTION
In the last decades, there has been a lot of effort to design controllers for complex systems automatically. One approach suggested by Wonham and Ramadge, is the Supervisory control theory for discrete event systems [1] . It is a framework for automatically synthesizing a discrete event supervisor for a plant so that the closed-loop system fulfills given specifications. The plant and the specifications are most often modeled by finite state automata. Both the plant and the supervisor are typically modeled by a number of interacting sub-automata.
The standard way of synthesizing a supervisor is to enumerate all reachable states in the closed-loop system and then remove all states that does not fulfill the given specifications. This approach has three main problems: 1) Enumerating all reachable states in the closed-loop system is computational expensive due to the statespace explosion. 2) Typically the synthesized supervisor has a large number of states and representing them as a single automaton will require much more memory than the memory in the hardware used to realize the supervisor. 3) While the input models to a supervisory synthesis problem typically consists of multiple automata, the output from the synthesis procedure (the supervisor) is in most cases a monolithic automaton. The relation between the original modular input models and the monolithic output automaton is weak and it is troublesome for the users of such a system to really understand how the synthesis procedure restricts the input automata models. Thus, a third problem that is typically encountered for users of supervisory synthesis tools, e.g. [2] , [3] , is that they cannot manually explore the synthesis result. More specifically, the user retrieves the final supervisor for the system without any specific information regarding the events causing undesirable states. The authors in [4] propose an algorithm for manufacturing cell controllers to extract the relations between the operations defining the work in the cell from the synthesized supervisor. The main advantage of these relations is to give an easyto-read representation of the control function and make the method usable in an industrial setting. However, not much attention is paid on how to reduce the final relational expressions for more complex systems which is the case in many industrial applications. Moreover, some restrictive conditions have been assumed for the original models, which should be satisfied in order to benefit the method.
In [5] , [6] an implementation of decentralized supervisory control was presented. This is performed "by embedding the control map in the plant's local Finite State Machines and employing private sets of Boolean variables to encode the control information for each component supervisor" [6] . Although this process will assist the simplicity and clearness of the supervisors, the main focus in these papers is to solve the problem of decentralized communicating controllers.
The authors in [7] , [8] , [9] , [10] , [11] have proposed another class of approaches for supervisory synthesis based on the linear algebraic representation of Petri nets model of the plants. In these methods, the specifications are added to the plants in the form of linear predicates which can be considered as constraint conditions. The resulting controller can also be formulated in a similar way as suggested in this paper. However, each approach has some restrictions. The non-blocking problem is not considered in [7] . In addition, in order to employ this approach, the system should satisfy a particular structural condition: the uncontrollable subnet extracted from the Petri net model must be loop free. In [8] the liveness problem is considered but only for controlled marked graphs. The approach proposed in [9] is applicable if the supervisory net has a convex reachability set. The focus is mainly on efficient automatic verification. In [10] the request for a maximally permissive supervisor is abandoned, in favor
978-1-4244-2593-8/08/$25.00 ©2008 IEEEof a more easily computed but also more restrictive control function.
In this paper we introduce a method for characterizing the controllable and non-blocking supervisor directly on the modular automata by using extended finite automata (EFA) [12] . The main idea is to generate a supervisor that could be represented using the original modular structure that was used to represent the sub-plants and sub-specifications. This is performed by introducing guard conditions on the modular automata so that the resulting reachable states become the same states as in the supervisor.
The synthesis procedure is divided into three steps. In step 1, the monolithic supervisor is synthesized in the traditional way by using binary decision diagrams (BDDs) [13] in order to do the computation symbolically. Using binary decision diagrams make the synthesis problem tractable for many industrial problems including extremely large number of states [14] , [15] . In step 2 the guard conditions, formed as logic expressions, are extracted from the monolithic supervisorrepresented by BDD. Finally, the guard conditions are added to the modular automata in step 3.
A crucial step is to reduce the guard conditions to compact expressions. If the guard conditions are minimized enough, the suggested approach can also save a large amount of memory for supervisors with numerous states. We suggest some alternative state-sets, including unnecessary states (unreachable and certain forbidden states), that more probably yield compact expressions.
Since the presented approach is suitable for implementations based on BDDs, it makes it tractable for larger problems. Moreover, by using this method, the clearness and simplicity of the supervisor is enhanced. The method could indeed be used for any standard supervisory control problem and is thus applicable to any applications where the supervisory control could be used. One possible application could be to automatically generate conditions for how concurrently executing operations in a manufacturing should be coordinated such that the product could be successfully produced, see e.g. [4] . This paper is organized as follows: Section II is devoted to some preliminaries for the theory. The process of adding guards to modular automata is discussed in Section III. Section IV describes how the guard extraction from a monolithic system is performed. In Section V a BDD representation for the state-sets is presented. Finally, Section VI provides some conclusions and suggestions for future work.
II. PRELIMINARIES
In this section, we present some basic concepts that are required in order to get a better understanding of the rest of this article.
A. Finite Automaton
A finite automaton (FA) is a 5-tuple Q, Σ, δ, q i , Q m where Q is a set of finite states; Σ is a finite set of events (the alphabet); and δ : Q × Σ → Q is a partial transition function which describes the state transitions. When δ(q, σ) is defined, it means that there exists a transition for the state q ∈ Q and the event σ ∈ Σ. The next state is denoted by q
There are also some marked states Q m ⊆ Q, which are the set of states that are desired to be reached after one or several transitions.
The composition of two automata
is defined by the full synchronous composition (FSC) operator [16] , which results in a total system
}. The transition function δ for A B is defined as in [16] .
B. Supervisory Control Theory
Supervisory Control Theory (SCT) [1] , [17] is a method for automatically synthesizing supervisors that restrict the conduct of a plant (or a number of plants) in order to satisfy some given specifications. These specifications describe the required or allowed behaviors. In an attempt to restrict the execution of the plant to the specifications, a supervisor (controller) is used. In automata theory, the supervisor is the automaton which enables or disables the events in the plant.
Unlike model checking [18] , [19] , where the goal is to verify if the model contains any incorrectness, in SCT all incorrect situations, e.g. undesirable deadlocks, should be identified and avoided in order to guarantee that the system never violates given specifications.
In SCT, events are divided into two disjoint subsets: controllable events Σ c , i.e. the events that can be influenced by the supervisor, and uncontrollable events Σ u , i.e. the events that cannot be influenced by the supervisor.
For a plant model P where
and a specification model Sp where
In the process of generating the final supervisor (after the synthesis), we do not distinguish between P and Sp and thus from now on we express A as:
Some states in A are explicitly defined to be avoided; which are called f orbidden states. This includes uncontrollable states as well as user defined forbidden states. There could be some states that merely lead to the forbidden states and thus they should also be prohibited. We call such states the extended forbidden states and denote the corresponding set by Q ex which follows the supervisory synthesis. Hence, the supervisor is generated by excluding Q ex from the reachable states in A.
Following are notations for some state-sets which will be used later in the paper:
Q: All the states in the automaton A (1).
The states that enable σ. Q reach : The reachable states. The states that can be reached from the initial state by a number of transitions.
Q sup : All the states in the supervisor.
C. Extended Finite Automaton
An Extended Finite Automaton (EFA) presented in [20] , [12] , is an extension of the ordinary FA with guard (conditional) formulas and action functions including different variables. In this kind of automaton, a transition is enabled if the associated guard is true, and when the transition is taken, updating actions of a set of variables may follow. An EFA is a 6-tuple Q × V, Σ, G, A, →, (q 0 , v 0 ) where Q is a set of states; V is the domain of definition of variables; Q × V is the extended finite set of states; Σ is the alphabet; G is the set of guard predicates over V ; A is a set of action functions, i.e. {a | a : V → V }; →⊆ Q × Σ × G × A × Q is the state transition relation; and (q 0 , v 0 ) is the initial state. Fig. 1 shows a sample EFA where σ, G, and A stand for event, guard, and action respectively. 
III. ADDING GUARDS TO MODULAR SYSTEMS
As stated earlier, in order to synthesize the supervisor, the extended forbidden states (Q ex ) should be excluded from the reachable states (Q reach ) in synchronized automaton, A (1).
Another approach to generate the final supervisor is to add some restrictive guard conditions to the transitions of modular automata, i.e. sub-plants and sub-specifications, and avoid them to reach the extended forbidden states. Hence, by assuming that the systems are modeled by FAs, after adding the guards, they will form EFAs. This enables us to characterize the supervisor directly on the modular automata. The guards can be extracted from the monolithic system (the full synchronized composition of the modular automata) by using the information from the supervisor. Recall that we wish to determine the events in the modular automata that should be enabled or disabled. Thus, we will study the case for each event separately.
In order to generate the guard conditions, we will first determine the state-sets where an event σ can occur and extract the guard expressions from these state-sets. There are two different points of views one can consider for constructing the state-sets:
Case A. States where σ is allowed, denoted by Q σ a . Case F. States where σ is forbidden, denoted by Q σ f . Hence, we can either choose to restrict a transition by forcing it to be or not to be in a state-set while executing the event. As a result, there would be two types of guard conditions: allowing guard conditions (G From section II-B, recall that, A (1) is the full synchronous composition of n automata A 1 , A 2 , . . . , A n . Thus each state in the monolithic automaton has the following form:
For case A, we just take into account the states that can be allowed: { q 
An ℓn )) On the other hand, for case F, where we consider the states that must be forbidden
}, the guard expression that represents the state-set for forbidden states is:
The final guard expression that will be added to transition δ(q Aj rj , σ) is computed by removing the terms that include q Aj rj from the expression. In order to get a more simplified expression, standard algorithms for minimization of logic expressions, e.g. [21] , [22] , will be performed on the final guard condition. The guards expressions can either be represented in disjunctive normal form (DNF) or conjunctive normal form (CNF). For each specific example, the form that has a simpler comprehension for the user, will be selected. We clarify the above process by the following example.
Example 1: Consider the classical resource booking problem where there are users that will use two resources but in opposite order. Thus it can be directly implied that there would be a deadlock in the system when the users use a common resource at the same time. Fig. 2 shows the resource automata models plus the monolithic automaton for this system. Note that state q Fig. 2(b) is a deadlock state. Now consider the guard expression for event a 1 . We study this case for each of the approaches mentioned earlier:
1) The states that must be allowed for event a 1 are { q
Hence the guard expression will be:
which can be simplified to
Thus for transition δ(q A 1 , a 1 ), the guard will be
2) The state-set where a 1 should be forbidden is q
. Thus we will have
which will be
for transition δ(q A 1 , a 1 ). Fig. 2(c) 
IV. EXTRACTING GUARDS FROM A
MONOLITHIC SYSTEM In the previous section we mentioned how we can characterize the supervisor by adding restricting guard conditions to the modular automata. Now the question is how we can extract the guard expressions from the synchronized model A and the supervisor S.
As stated earlier, there are two cases we could consider in an attempt to construct the guards. For each case we study two levels of certainty by introducing the following definitions.
Definition 1 (Upper bound of Q The states where σ must be forbidden. Hence, if the set L(Q σ f ) is restricted to not include a state in L(Q σ f ), then the guard expressions generated from the restricted set of L(Q σ f ) will make it possible for the closed loop system to enter a state that was removed in the synthesis procedure, i.e. Q ex .
It can directly be observed that there is a duality relation between the upper and lower bounds for each case. Hence, Proof: The proof will be shown by contradiction. Let q ∈ L(Q σ f ). Assume that there is exists a state q ′ = δ(q, σ) / ∈ Q ex . Thus:
, it means that an unreachable state that will never be reached is forbidden which violates the lower bound specifications. If q ′ ∈ Q sup , it means that q should not be forbidden, but we had assumed that q ∈ L(Q σ f ) which leads to a contradiction. Hence, for both of the cases we will face contradictions and thus it implies that δ(q, σ) ∈ Q ex .
Theorem 1:
Proof: The proof will be shown by contradiction. Assume there is a state-set
Thus, if we generate the guard conditions from Q ℓ , then we can reach a state q ′ ∈ Q ex after the supervisory synthesis which leads to a contradiction.
A direct deduction from this theorem is
This means that the states where σ can be allowed are the states that do not enable σ; or the unreachable states; or the states in the supervisor; or the extended forbidden states which will not be reached anyway.
A challenging issue is which approach between A and F is more convenient for extracting the guard conditions. To deal with this question, we first introduce two factors that can impact our decision:
• Memory: In most of the cases, the automata will be saved on a limited amount of memory, e.g. PLCs; therefore it is crucial to have guard expressions that are reduced as much as possible.
• User: From a user perspective, a reduced logic expression would be more readable and understandable. Nevertheless, sometimes if an expression is reduced too much, it can decrease the comprehension.
Definition 5 (Minimal Guard Expression (MGE)):
Among a set of equivalent guard expressions (expressions with equal truth tables), MGE is the DNF (CNF) expression with the least number of conjunctive (disjunctive) clauses. This definition is based on this assumption that from a user perspective, a logic expression with fewer clauses is more comprehensible.
The goal is to find the MGE for a set of guard expressions. Depending on the system, one of the approaches can yield the MGE, and thus basically either of them can be desirable.
However, based on the following hypotheses, a proper choice can be the second case where the state-set is Q It is hard to say if there exists a state-set Q in represented by set operations that always yield MGEs. Nonetheless, according to the lower and upper bounds of Q σ f , Q in has the following restriction:
however, this does not always hold. By including some unnecessary states (unreachable and extended forbidden states), it is possible to perform an additional reduction in the final minimization. Thus, there is a trade-off between retaining the expression as reduced as possible, and adding some unnecessary states for assisting the final minimization.
As a conclusion, four reasonable alternatives for Q σ f can be suggested:
sup \C(Q reach )\Q ex . By computing the above state-sets for a number of examples, one can get a view of the alternative that likely yields the MGEs in most of the cases.
As a final remark, note that all the state-sets represented, i.e. Q σ , Q σ sup , Q reach , Q ex , and their complements, can be effectively computed by BDDs and this is where we can take advantage of such data structures.
The theory extended in this section is illustrated by the following example.
Example 2: Consider the two sub-plant models P 1 and P 2 and two sub-specifications Sp 1 and Sp 2 shown in Fig. 3(a) . Moreover, their full synchronous composition (S 0 ) is illustrated in Fig. 3(b) . The states in the monolithic automaton have the following form:
We also use the following notations in the guard expressions: Fig. 3 . Example 2. a) Sub-plant models P 1 and P 2 and sub-specifications S P 1 and S P 2 . b) Full synchronized composition of the automata (P 1 P 2 S P 1 S P 2 ).
events a and e plus their respective guard expressions:
By performing a minimization algorithm on this logic expression and applying it on state q P1 1 , the only state that enables event a, it can be reduced to For the rest of the expressions, we merely show the reduced representations for events a and e, on states q which becomes f alse for state q
We observe that for this specific example, alternative (a), i.e. Q σ f1 , yields MGEs. The resulted guard expressions for Q σ f1 is shown in Fig. 4 . Note that since the events a and e appear on P 1 and P 2 , the guard conditions will just be added on those automata. In general, after these eliminations, one could perform a further reduction on the final expression. Since the reduction is performed on a new expression, it is possible to obtain a more reduced one. 
V. BDD REPRESENTATION FOR STATE-SETS
As discussed, the extraction and addition of guards deal with various state-sets of the automata such as Q σ , C(Q reach ), etc., and a number of set-operations are performed on these sets. Thus, in order to have an efficient implementation of the system, one should take advantage of a good data structure to represent the automata and the state-sets. A powerful symbolic representation for an automaton is Binary Decision Diagram (BDD) [13] . Given a set of Boolean variables V , a BDD is a Boolean function f : 2 V → {0, 1} represented as a directed acyclic graph (DAG) which consists of two types of nodes: decision nodes and terminal nodes. A terminal node can either be 0-terminal or 1-terminal. If the variables in the BDD follow a total order, it is called Ordered BDD (OBDD). The main idea behind OBDD is that it can be reduced to a compact and canonical data representation of a Boolean function which is often called Reduced OBDD [23] . In order to represent complex structures such as automata with BDDs, a construct called characteristic function is often used. Having a finite set S, for every subset A of S, the characteristic function is defined as follows:
Hence, the basic set-operations such as union, complement and comparison can be applied to characteristic functions using Boolean operators. For instance, if A 1 , A 2 ⊆ S, then A 1 ∪ A 2 can be expressed as χ A1 ∨ χ A2 , since A 1 ∪ A 2 = {a ∈ S | a ∈ χ A1 ∨ a ∈ χ A2 } Consequently, the state-sets mentioned above can easily be represented by BDDs. For instance, consider the reachable states for an automaton (Q reach ). By starting from the initial state and performing iterative f ixpoint computations, in each step of the computation, a new set of reachable states, i.e. the states that are one transition away from the states in Q reach , will be added to the new state-set. This procedure will be repeated until no more new states are found; or in other words until the global f ixpoint is reached. Afterwards, one can easily compute the C(Q reach ). It is just sufficient to replace the 0-terminals with 1-terminals and vice versa for the BDD of Q reach . Similarly, other state-sets can also be represented by BDDs.
To conclude, the representation of state-sets and setoperations are preferably computed by BDDs. Using binary decision diagrams make the synthesis problem tractable for many industrial problems [14] , [15] . We can also benefit of these data structures in the minimization process of logic expressions.
VI. CONCLUSIONS AND FUTURE WORKS
In this paper, we introduced a method for characterizing a supervisor directly on the modular automata by extracting guard conditions from the monolithic system. The extraction process is performed by first determine some state-sets in the synchronized automaton where a given event should be prohibited in order to prevent the system to reach the forbidden states, and second to convert the state-sets to guard expressions. We presented some suggestions for statesets including unnecessary states (unreachable and certain forbidden states) in order to reduce the logical expressions to more compact guard conditions. Furthermore, we showed how BDDs can be used to represent the state-sets used in the guard extraction and why they are counted as powerful data structures for large systems.
There are some directions in which we could extend and optimize our method. In this paper, we have assumed that the modular automata are always ordinary finite automata and then after adding the guard conditions they become EFAs. Thus we start the whole process from FAs. An extension to this could be to have EFAs as the modular automata from the beginning and perform the guard extraction and minimization based on these models. This would require another structure with some analogous parts to the method presented here.
As discussed, we cannot make a certain and general conclusion which state-set that gives the minimal guard expression among the four suggested alternatives. A possible future work is to investigate for which state-set it is more probable to retrieve a more reduced expression, especially for large systems based on BDD computations.
