keywords discrete-event systems, extended finite state machines, supervisory control, protocol design.
I. INTRODUCTION
In supervisory control of discrete-event systems given a plant G and a specification E, it is desirable to find a supervisory control map S such that plant under supervision, denoted by S/G, satisfies the specification. Thus as shown in Fig However, in traditional designs to discrete-event control problems which are dominantly in use, oftentimes the separation between the plant and the controller is blurred. Rather, the "closed-loop" or "controlled" system is designed at once, which is later tested against the specification of some desired behavior for compliance. The alternating-bit protocol discussed later in this paper is a good example.
This paper attempts to bridge the gap between the two methodologies. While we use Supervisory Control Theory (SCT) [1] , [2] to design a supervisor, we use a novel approach to implement our design as an embedded part of the system to be controlled. The result, denoted by G x and shown in Figure 1 -b, is an economical representation of the closed-loop system which is readily identifiable with traditional designs to discrete-event control problems.
Our approach makes clearer the relevance of SCT to many computer-control problems such as the synthesis of communication protocols. In addition, our representation of the controlled system is more compact and can easily be coded in the eventual implementation of the controller.
As an augmentation of FSM, EFSM has been widely used by engineers in several research fields, such as Application Specific Integrated Circuit (ASIC). Method proposed by [3] automatically transforms the high-level description of a circuit in VHDL or C into an EFSM model that is used to generate functional vectors. Lai [4] presents a path classification method for ASIC designs by using the extended finite state machines introduced in [5] .
In the area of supervisory control of discrete-event systems, Chen and Lin [6] have presented their work on controller synthesis for Finite State Machines with Parameters (FSMwP) introduced in [7] . FSMwP is an extension of a regular FSM in which provisions have been made to capture the notions of event disablement and enforcement. Motivated by the aforementioned works, we propose to implement the supervisory control map by EFSM as an embedded part of the plant.
The rest of this paper is organized as follows: In Section 2 we define a general model for Extended Finite State Machines (EFSM) and their synchronous product. Section 3 introduces an approach for implementing a supervisory control map by EFSM. In Section 4, an application of our approach in the synthesis of communication protocols is presented. Section 5 concludes the paper.
II. EXTENDED FINITE-STATE MACHINES

A. EFSM Model
An Extended Finite State Machine (EFSM) is an augmentation of a regular finite state machine. A set X of k boolean variables are introduced. A transition in the EFSM is enabled if and only if its guard formula, which is a predicate defined as a boolean formula over X, is true (1) . When a transition is taken, k updating actions may follow. An updating action is a boolean function that reassigns a new value to a variable based on the old values of all variables. In the following definition, let G denote the set of all boolean formulas over X, and A denote the set of all boolean functions B k → B.
Formally, an EFSM G x is defined as an 8-tuple G x = (Q, Σ, δ, q 0 , Q m , X, g, A), where -Q is a finite, nonempty set of states; -Σ is a finite set of events; -δ : Q×Σ → Q is a transition function. The equality δ(q, σ) = q means that there is a transition labeled by event σ from state q to state q ; in general, δ is a partial function on its domain; -q 0 is the initial state; -Q m ⊆ Q is the subset of marker states; -X is a finite set of k boolean variables.We assume that all variables are initialized to false (0); -g : Σ → G is a guard formula function; -A : Σ → A k is the k-tuple of updating functions.
For the sake of convenience, δ is extended from the domain Q × Σ to the domain Q × Σ * in the usual way. For α ∈ Σ, g α is a boolean formula with which all transitions labeled with α are guarded. The tuple of updating functions A α is a k-tuple A α = a 
B. Languages represented by an EFSM
Let V : Σ * → B k be a map that assigns to a string s ∈ Σ * a tuple of boolean values assumed by variables in X at the state reached by s from the initial state of G x . Thus V is defined as follows:
where s ∈ Σ * , x i ∈ X and v : Σ * × X → B is defined in the following recursive manner:
, contains all paths starting from the initial state that can be traversed along the transition diagram of G x while respecting its guard formulas at all intermediate states. Thus it is recursively defined as follows:
C. Equivalent regular FSM
Despite its compactness, EFSM has expressive power equal to FSM. The equivalent regular FSM G eq of a given EFSM G x = (Q, Σ, δ, q 0 , Q m , X, g, A) is a five tuple:
where:
k is a finite set of states; -Σ is the same as the alphabet of events in G x ; -f : R × Σ → R is the partial transition function. For a state r = (q, z 1 , z 2 , . . . , z k ) and σ ∈ Σ, we define:
-R m ⊆ R is the set of marker states defined as:
For the sake of convenience f is extended to R×Σ * in the usual recursive manner. The following theorem states that an EFSM and its equivalent regular FSM generate and mark the same languages.
Proof: The proof of equation (1) is by induction on the length of strings. First, we will show that for all s ∈ L(G x ), it must be the case that s ∈ L(G eq ). Base trivially holds true since ∈ L(G eq ).
By the definition of equivalent regular FSM, we conclude that f (r 0 , sσ)!, i.e. sσ = s ∈ L(G eq ).
Similarly, we can prove in the other direction that for all s ∈ L(G eq ), it must be the case that s ∈ L(G x ).
D. Synchronous product
The synchronous product of two EFSMs, G x1 and G x2 , exists if and only if they are consistent. The consistency condition requires that the updating functions triggered by a common event in the two machines update a common variable to the same value, i.e. for x ∈ X 1 ∩ X 2 where x is the i th variable in X 1 and j th variable in X 2 , it is always the case that:
The consistency condition can be easily verified by inspecting the updating functions of common events on common variables before taking the synchronous product.
The synchronous product of two consistent EFSMs,
The following result states that the synchronous product of two FSMs can be extended by taking the synchronous product of the extended components; in other words, the operations of 'extension' and 'synchronous product' commute.
Theorem 2 Let
where
Example: Small Factory. Consider two machines M 1 and M 2 as shown in Fig. 2 . Small Factory operates as follows. The machines M 1 and M 2 are connected to each other through a buffer of capacity one. An item is fetched (α i ) and is then processed (β i ) by machine M i , i = 1, 2. Machine M 1 fetches an item from a conveyor belt and processes it. After being processed by M 1 , the item is placed in the buffer, and is later fetched by M 2 for further processing. It is desired that the buffer neither overflows nor underflows. To satisfy this, we introduce a boolean variable x which effectively counts the number of items in the buffer. Machine M 1 can fetch a new item if the buffer is empty (x = 0), while Machine M 2 can fetch an item if there is an item already in the buffer (x = 1). When M 1 places an item in the buffer (β 1 ), it sets x := 1, and when M 2 fetches an item from the buffer (α 2 ), it sets x := 0. We call M 1 and M 2 extended as above M x1 and M x2 , respectively. Fig. 2 . Machines M 1 and M 2 , and extended machines M x1 and M x2 , where in g → σ/a, g is a guard formula, σ is an event and a is a commaseparated list of updating functions.
The synchronous product of M x1 and M x2 , denoted by M x and shown in Fig. 3 -(a) models the behavior of the overall controlled system of machines and buffer. The equivalent regular FSM is shown in Fig. 3-(b) as well, from which it can be easily verified that the overflow and underflow specifications are both met. We would like to point out that if we embedded our control in the synchronous product of M 1 and M 2 the result, as shown by Theorem 2, would also satisfy the control objectives.
III. IMPLEMENTATION OF SUPERVISORY CONTROL MAP
BY EFSM Let M k be the set of all minterms over k boolean variables. For convenience we define two injective maps: state-label map l and label-minterm map m. A state-label map l : Y → B k is an injective map that assigns to a state a unique arbitrary label. A label-minterm map m : B k → M k is a map in which a label is mapped to the minterm that is true for that label. Note that for the state-label map to be injective it is necessary that |Y | ≤ 2 k . Given the automaton of an admissible supervisor S = (Y, y 0 , Σ, ξ, Y m ) over an uncontrolled plant G = (Q, q 0 , Σ, δ, Q m ), we implement the supervisory control map by extending G to an EFSM G x = (Q, Σ, δ, q 0 , Q m , X, g, A). The EFSM G x can be regarded as the closed-loop system satisfying the control objectives. The first five components of G x are identical to G's, and X, g and A are derived from S as explained below.
-X = {x 1 , x 2 , . . . , x k }, where k = log 2 N and N is the number of states in S. -For σ ∈ Σ,
The set L g (σ) consists of labels of all states where σ is enabled by S.
M: 
For y ∈ Y , the expression [ x i ] y denotes the value of boolean variable x i in state y. The set L A(σ,xi) consists of labels of all states from which x i becomes 1 after the occurrence of σ. 2
A. Embedded supervisory control
In this section we show that the EFSM G x designed as above will in effect implements the supervisory control map enforced by S.
Theorem 3 For the EFSM G x designed as above we have
Proof: To prove this theorem, we need to show that for s ∈ Σ * and σ ∈ Σ, sσ ∈ L(S) if and only if s ∈ L(S) and g σ (V (s)) = 1. This follows directly from the fact that v i (s) = [ x i ] ξ(y0,s) , 1 ≤ i ≤ k, which can be proved by induction on the length of s.
The proof of Theorem 3 is by induction on the length of strings. First, we will show that for all s ∈ L(G x ), it must be the case that s ∈ L(G) ∩ L(S).
• Base: This trivially holds true since L(G) ∩ L(S) is nonempty.
• Inductive step: Let s = sσ, where s ∈ Σ * and σ ∈ Σ. It follows from the inductive assumption that:
Next we will show that for all s ∈ L(G) ∩ L(S), it must be the case that s ∈ L(G x ).
• Base: This trivially holds true since L(G x ) is nonempty.
• Inductive step: Let s = sσ, where s ∈ Σ * and σ ∈ Σ. It follows that s ∈ L(G) ∩ L(S) which implies by the inductive assumption that s ∈ L(G x ). Furthermore, we know that:
IV. EXAMPLE
Alternating bit protocol [8] , [9] is used for reliable data transmission over half-duplex channels. As shown in Fig. 4 , two processes A and B communicate over a channel ch. Process A fetches a message and sends it to the channel. Then process B receives the message from the channel and if it is error-free, accepts it. The control objective states that every message fetched by A should be accepted by B exactly once. In this example we first model the plant and will show how it fails to satisfy the specification of the desired behavior. Then embedded controllers for sender and receiver are synthesized by introducing boolean variables and designing guard boolean formulas and updating functions so that the controlled system satisfies the desired specification.
A. Plant and specification
A schematic of the plant is shown in Fig. 5 , where a transmission error is shown by a broken arrow. The system events are defined in Table I . Fig. 6 shows FSM models for sender A, receiver B and channel ch. Finally, the specification S is formalized in Fig. 7 .
We make two assumptions:
1) The channel can pass data messages only in one direction (from A to B), while the control information can flow bidirectionally. 2) Messages or control information never get lost in the channel; rather, they can only get corrupted, which will always be detected by the receiving process. Based on these assumptions, we briefly describe each plant in Fig. 6 . The sender A initially sends a data message to the channel, or fetches a new data message and sends it to the channel. After receiving an acknowledgement from the channel, the sender A returns to its initial state. On the channel's part, any type of message received by the channel ch from one party (data ds or control cs) will be sent to the other party (dr or cr, respectively), or it will be delivered corrupted (de or ce, respectively). After receiving a data massage from the channel, the receiver B nondeterministically sends an acknowledgement to the channel, or accepts the message and sends an acknowledgement to the channel. Note that for simplicity our models overapproximate the behavior of the actual system. Our embedded controller, to be designed later, will remove all illegal and unreasonable behavior.
It is easy to see that the plant in Fig. 6 does not satisfy the specification in Fig. 7 . For example, the string 'df;ds;dr;da;cs;ce;ds;dr;da' is accepted by the plant but not by the specification. The problem is that the receiver B accepts a data message that has already been accepted. Thus, some form of control is required to prevent a duplicate copy of a data message from being accepted. The alternating bit protocol provides a standard solution to achieve the control objective. A description of the protocol is given by W. C. Lynch [8] . 
B. Formulation of alternating bit protocol by EFSM
In this subsection we formalize alternating bit protocol in the EFSM framework using the approach of Section III. We extend A and B automata so that they can serve as embedded local supervisors at the sender and receiver sites.
Observe that since S is controllable with respect to the plant, it can be used as a global supervisor to achieve the control objectives. To implement S by extending the FSM of the plant, we note that one boolean variable is sufficient to encode the states of S. We denote this variable by x and initialize it to 0. Then we label the initial state of S with '0' and the other state with '1', as shown in Fig. 7 .
Since an event in the set Σ − {df, da} is self-looped at all states of S, the guard formula for such an event is always true, while its occurrence does not change the value of x.
For the events df and da we have:
We conclude that g df =x, a 1 df =x, g da = x, and a 1 da = 0 1 . The extended plant components are shown in Fig. 8 . The synchronous product of plant EFSMs is shown in Fig. 9 , and its equivalent FSM is shown in Fig. 10 .
In design of the protocol, one boolean variable x is introduced and is initialized to 0. The variable x is set tox and 0 by fetch and accept operations, respectively. Initially, we have x = 0 and therefore df is enabled while da is disabled. When df is eventually taken, the variable x becomes equal to 1 and as a result the event da is enabled while df is disabled. When da is finally taken, the variable x becomes equal to 0 again, and the cycle df ; da repeats alternately. The design presented in this section does not reflect the decentralized nature of alternating bit protocol. The variable x is regarded as a global variable, whose value is assumed to be instantly available at both processes 2 . However, this is not the case in practice as the sender and the receiver are usually geographically widely separated. Thus, the value of variable x needs to be communicated to the second process in real time when it is updated in the first process. In [10] a more faithful model of alternating bit protocol is presented where each process toggles a local variable when fetching or accepting a data message. In addition, each process keeps a local copy of the variable monitored by the other process, which is updated when a data message or acknowledgement is received free of error from that process.
Thus, alternating bit protocol elegantly achieves the desired control objectives by communicating minimal information between processes. Moreover, when timing of the events is not constrained, a safety specification is satisfied even in the presence of communication delays; that is, error-free communication is required to take place in either direction only eventually.
V. CONCLUSIONS AND FUTURE WORK
In this paper, we have presented our work on a new approach to implement supervisory control by EFSM as an embedded part of the system to be controlled. We have described the model of EFSM as an augmentation of the traditional FSM. We have shown that although EFSMs have equal expressive power as FSMs, they offer far more economical and realistic representations of physical systems. 2 In other words, control decisions are made globally while control actions are taken locally. We have proposed an approach to implement a supervisory control map by an EFSM. The resulting EFSM is shown to generate the same behavior as the system under supervision. Several problems are currently under investigation. Part of our future work is to investigate embedded supervisory control under partial observation. In this case, it will be possible to update only a subset of observable variables, which will restrict the class of controlled languages that can be implemented within our framework. We also would like to study blocking issues in modular supervisory control when each supervised system is modeled as an EFSM. At last, it will be desirable to develop a software tool to simulate the methods presented in this work. We believe these interesting issues will lead to more insightful results.
