On the Equivalence of Controllability and the Input Output Conformance Testing Relation by Khan, Adnan et al.
On the Equivalence of Controllability and the
Input Output Conformance Testing Relation
A. Khan P. Falkman M. Fabian
Chalmers University of Technology,
Department of Electrical Engineering, 41296 Go¨teborg, Sweden
{kadnan, petter.falkman, fabian}@chalmers.se
Abstract: In this paper, the relation between controllability and the IOCO testing relation
is examined. Based on a natural and common notion of controllability, where uncontrollable
events are interpreted as outputs from the plant, and viewing an implementation under test
as a plant, the IOCO testing relation is equivalent to controllability. Further, it is shown
how supervisor synthesis can be used to algorithmically make an implementation IOCO with
respect to its specification. This can be done either by restricting the implementation to the
supremal controllable sublanguage, or extending the specification to the infimal controllable
superlanguage, of the implementation and the specification. Both alternatives seem to be equally
viable, and the choice between them seem strongly application dependent.
Keywords: Input-Output Conformance, Controllablility, Supervisory Control Theory,
Model-Based Testing, Discrete Event Systems
1. INTRODUCTION
Many types of engineered systems, such as manufacturing
systems, traffic systems etc, are driven by software and
are getting more and more automated for the benefit of
society. In manufacturing systems, increased number of
automated machines and resources have resulted in better
production rates and quality of products. In automotive
systems, self-driving cars promise to bring about beneficial
changes to our environment, like less traffic, and less
accidents.
However, the control programs that implement the func-
tionality of these systems are complex and hard to develop
so that the resulting system behavior is logically correct.
In addition, in many cases these systems are safety-critical,
meaning that failures can have catastrophic outcomes and
must be avoided. Typically implementation is manual, and
based on design documents that are informal in nature,
mainly expressed in natural language, which further em-
phasizes the problem.
Many of these systems, and especially their decision mak-
ing logic, can be modeled as discrete event systems, which
are systems that evolve dynamically on the occurrence
of events, while at each time instant occupying a specific
state where certain conditions hold. Using this modeling
formalism, many methods have been developed to help
implementing correct behaviors from requirements speci-
fications. This paper deals with two formal such methods,
the supervisory control theory (Ramadge and Wonham,
1987), which takes a “correct-by-construction” approach,
and model-based testing (Utting and Legeard, 2007), which
? This work has been carried out at the Wingquist Laboratory
VINN Excellence Centre within the Production Area of Advance at
Chalmers. It has been supported by Vinnova FFI VIRTCOM (2014-
01408), and ITEA3 Vinnova ENTOC (2016-02716).
applies testing techniques to a model of an implementa-
tion.
The supervisory control theory (Ramadge and Wonham,
1987) allows the automatic generation of controllers known
as supervisors based on a model of the uncontrolled
system, the plant, and the provided specifications. This
process of automatic generation of supervisors is called
synthesis. Since a controller only has partial control over
the events that the plant generates, some of the events are
uncontrollable, for the specification to be implementable on
the plant, the property of controllability has to be satisfied.
If the specification is not controllable with respect to the
plant, the specification is automatically modified by the
synthesis procedure, resulting in the supervisor which is
guaranteed to be controllable with respect to the plant.
Model-based testing (Utting and Legeard, 2007) is a for-
mal approach to subject a model of an implementation to
series of tests that try to falsify the specification according
to which the implementation was created, in order to find
faults in the implementation. To formalize this, the con-
cept of input-output conformance (IOCO) was proposed
by Tretmans (1996). Similar to the supervisory control
theory, the IOCO testing relation depends on two models,
a specification model and an implementation model. In
the IOCO testing relation, the specification provides the
basis for the behavior of the implementation, in that it
dynamically defines the outputs that the implementation
is allowed to emit. If other than the specified outputs
are emitted by the implementation, it is not IOCO with
respect to the specification and must be modified. The
testing literature, does not (to the best of the author’s
knowledge) describe any approach that modifies the im-
plementation automatically.
1.1 Contribution
In this paper, the equivalence between controllability and
the IOCO testing relation is detailed. This equivalence is
established in terms of viewing the implementation model
as the plant, the uncontrollable events as outputs from the
plant, and a semantic comparison between the respective
formal definitions of controllability and IOCO. It is further
shown how synthesis, as defined within the SCT, can be
used to algorithmically make an implementation IOCO
with respect to its specification, either by restricting the
implementation or extending the specification.
1.2 Outline
This paper is structured as follows. In Section 2 back-
ground regarding the SCT is given. In Section 3, the IOCO
testing relation is introduced. In Section 4, the equivalence
between controllability and IOCO is established with the
help of an example. Section 5 introduces a remedy for
non-IOCO systems based on supervisor synthesis. Finally,
Section 6 concludes the paper and presents some future
work directions.
2. SUPERVISORY CONTROL THEORY
The Supervisory Control Theory (SCT) was introduced
by Ramadge and Wonham (1987) to take a control-
theoretic approach on discrete event systems. The main
idea behind this theory is the automatic synthesis of
controllers, called supervisors, for a system under scrutiny.
The essential elements required to synthesize a supervisor
are specification and plant models.
The plant is a model of all the possible behavior of the
uncontrolled system, while the specification models the
desired controlled behavior. The task of synthesis is now to
automatically calculate a supervisor, given the plant and
the specification, such that when this supervisor controls
the plant the closed-loop system exhibits a behavior that
is guaranteed to remain within the specification, while
always being able to complete some desired task.
The supervisor effects its control on the plant by dy-
namically disabling events from occurring. Thus, there is
an asymmetric feedback-loop between the plant and the
supervisor, see Fig 1 (left), the plant generates events,
while the supervisor at each global state disables a subset
of the events to guarantee that the closed-loop system
never goes outside the specified behavior. However, not
all events are subject to disablement by the supervisor;
controllable events can be disabled, while uncontrollable
events cannot. This must be considered when synthesizing
the supervisor; the synthesis procedure must produce a
supervisor that is controllable with respect to the plant
and the uncontrollable events.
In addition, some global states are of significant interest,
and are therefore marked by the specification. At least one
of these marked states must always be reachable from any
state in the closed-loop system,. This poses a requirement
on the supervisor to be non-blocking.
Furthermore, it is common to require that the supervi-
sor should disable events only when enabling such events
Fig. 1. Asymmetric (left) and symmetric (right) supervisor
feedback loops.
would inevitably lead to violating the controllability or
non-blocking properties. This is captured by the require-
ment of the supervisor to be minimally restrictive 1 It is
known that a minimally restrictive, controllable and non-
blocking supervisor always exists, is computable in the
regular case, and is unique (Ramadge and Wonham, 1987;
Cassandras and Lafortune, 2009).
Though Ramadge and Wonham (1987) originally took a
formal language-theoretic viewpoint, for calculation pur-
poses it is beneficial to model the plant, the specification,
and the supervisor as finite-state machines (Cassandras
and Lafortune, 2009).
Definition 1. A finite-state machine (FSM) A is a 5-tuple,
A = 〈QA,ΣA, iA, δA,MA〉 where
• QA is a finite non-empty set of states;
• ΣA is a finite non-empty set of events, the alphabet ;
• iA is the initial state, iA ∈ QA;
• δA : QA × ΣA → QA is the transition function;
• MA is the set of marked states, MA ⊆ QA.
The transition function δA is a partial function not nec-
essarily defined for all combinations of states and events.
An event σ ∈ ΣA is said to be enabled in a state q ∈ QA
if δ(σ, q) is defined. Also, δA can be extended to elements
of Σ∗A, the Kleene closure of ΣA, which are sequences of
events, in such a way that for sσ ∈ Σ∗A and q ∈ QA,
δA(sσ, q) = δA(s, δA(σ, q)).
In the following it is assumed that that plant, specification,
and supervisor all have the same alphabet, Σ, and that
the controllable and uncontrollable events, Σc and Σu,
respectively, partition Σ.
For an FSM, the set of event sequences possible starting
from the initial state defines a formal language.
Definition 2. The language of an FSM A is the set
L(A) = {s ∈ Σ∗A | δA(s, iA) is defined} (1)
The interaction between the supervisor and the plant can
be modeled by synchronous composition, where an event
can occur only if it is simultaneously enabled in both.
Definition 3. For two FSMs G and S, their synchronous
composition is G||S = 〈QG ×QS ,Σ, 〈iG, iS〉, δG||S ,
MG ×MS〉, where
δG||S(〈p, q〉, q) = 〈δG(σ, p), δS(σ, q)〉 (2)
1 This paper will treat neither non-blocking nor minimally restric-
tiveness, so these properties will not be formally defined.
if both δG(σ, p) and δS(σ, q) are defined, else undefined.
From the definition it follows directly that L(G||S) =
L(G)∩L(S). Now controllability can be formally defined.
Definition 4. Given a plant G and uncontrollable events
Σu, a supervisor S is controllable w.r.t. to G and Σu if
L(G||S)Σu ∩ L(G) ⊆ L(G||S). (3)
It can be shown that (3) is equivalent to
L(S)Σu ∩ L(G) ⊆ L(S). (4)
For deterministic FSMs, the language-based controllability
definition (4) can be equivalently posed as
∀s ∈ L(S) Σu(δG(iG, s)) ⊆ Σu(δ(iS , s)). (5)
Here, Σu(·) represents the uncontrollable events enabled at
the state. So (5) says that at a global state reached by the
string s, the uncontrollable events enabled by the plant G
must be a subset of the uncontrollable events enabled by
the supervisor S. In that way, S will never (try to) disable
any uncontrollable event enabled by G from any state that
S allows the closed-loop system to reach.
Balemi (1992) re-interprets the original R&W SCT for-
mulation into an input/output interpretation, where Σu
are regarded as outputs from the plant and inputs to the
supervisor, while Σc are outputs from the supervisor and
inputs to the plant. This forms a symmetric relation be-
tween the plant and the supervisor, see Fig 1 (right), which
according to Balemi (1992) is better suitable to model
real systems, where events do not occur spontaneously but
only as responses to commands. This changes the role of
a supervisor from being a passive safety device that stops
bad things from happening (while allowing good things),
to being an active entity commanding actions of the plant.
It is shown by Balemi (1992) that the input/output inter-
pretation does not really change anything when it comes
to synthesis and controllability, the same requirements are
still valid and it is only a matter of interpretation. In this
interpretation, controllability means that the supervisor
must at each global state be ready to accept as inputs
the plant outputs enabled in that state. Similarly, there is
an inverse controllability where the supervisor may not
generate outputs (inputs to the plant) that the plant
cannot accept in its current state. However, due to the way
synthesis is performed, inverse controllability is trivially
satisfied, and need not concern us further.
3. INPUT OUTPUT CONFORMANCE (IOCO)
TESTING RELATION
After implementing any system, usually testing is carried
out to check its correctness. In the case of discrete event
systems, the Input-Output Conformance testing proposed
by Tretmans (1996) is a way to scrutinize an implementa-
tion using specifications as the basis.
In this paper, the point of discussion will revolve around
the modified definition of IOCO given by Gregorio-
Rodr´ıguez et al. (2013).
Compared to the original definition of IOCO, which con-
siders implementations to be input enabled, Gregorio-
Rodr´ıguez et al. (2013) consider a simplified version of
the definition and applies it to an input-output domain
of a labelled transition system. In addition, the original
version of IOCO considers suspension traces, which are
the traces containing quiescent behavior (deadlock). But
the modified definition takes all the traces into account,
because the quiescent behavior is included in the modified
definition by introducing a special symbol for it. Hence,
this modified definition of IOCO by Gregorio-Rodr´ıguez
et al. (2013) is broader than the original one and will be
used throughout this paper.
To give the formal definition of IOCO, consider two
disjoint sets of input actions I and output actions O.
The output actions are the actions initiated by the system
under test and are expressed with an exclamation mark,
such as !a ∈ O. Now, we consider a labelled transition
system and an example in this section to elaborate the
concept of IOCO and give the formal definition.
Definition 5. A labelled transition system comprising of
inputs and outputs is a 4-tuple 〈S, s0, L,→〉 where:
• S is a non-empty set of states;
• s0 ∈ S is the initial state;
• L is a countable set of labels. These represent ob-
servable actions of a system i.e. L = I ∪ O where
I and O are as above. Consider also a quiescence
symbol δ 6∈ L, and define the sets Lδ = L ∪ {δ} and
Oδ = O ∪ {δ};
• →⊆ S × Lδ × S is a transition relation such that,
p
a−→q implies 〈p, a, q〉 ∈→ and p a−→ for a ∈ Lδ, if there
exists q ∈ S such that p a−→q. Similarly, p6 a−→, for a ∈ Lδ,
if there exist no q such that p
a−→q. In addition, only
coherent quiescent systems are allowed so → should
also satisfy the following:
· if p δ−→p′, then p = p′ i.e. a quiescent transition is
always reflexive.
· if p6 !o−→ for any !o ∈ O, then p δ−→p, i.e. a state with
no outputs is quiescent.
· if there is !o ∈ O such that, p !o−→, then p6 δ−→, i.e. no
output actions can be performed from a quiescent
state.
Furthermore, a trace t is a finite sequence of symbols of Lδ
i.e. t ∈ L∗δ , including the empty trace . Additional defini-
tions needed to express the IOCO relation in Definition 9
are as follows.
Definition 6. The set of traces from a state p in an LTS is
traces(p) = {t ∈ L∗δ | p t−→}. (6)
For an LTS A = 〈S, s0, L,→〉 its set of traces are the ones
defined from its initial state
traces(A) = traces(s0). (7)
Definition 7. The set of states reached after a trace t from
a state p in an LTS is
p after t = {p′ ∈ S | p t−→ p′}. (8)
For an LTS A = 〈S, s0, L,→〉 the set of states reached
after a trace t is
A after t = {p′ ∈ S | s0 t−→ p′}. (9)
Definition 8. The set of outputs from a state p in an LTS
is
outs(p) = {x ∈ Oδ | p x−→}. (10)





Gregorio-Rodr´ıguez et al. (2013) define IOCO as a relation
between states of a single LTS, but an equivalent definition
can be made between two different LTSs.
Definition 9. For two LTS, A and B, A is said to be IOCO
with respect to B if
∀t ∈ traces(B) : outs(A after t) ⊆ outs(B after t).
(12)
Here A is the (model of the) implementation, while B is
the specification.
The formal definition above describes the IOCO relation
such that, an implementation A conforms to a specification
B, if and only if for all the traces t in the specification, the
outs of A after t is a subset of outs of specification B after
t. From this definition, it can be seen that, for a system to
be IOCO, the traces in specification is used as a limit to
check the implementation, not the other way around.
4. IOCO VS CONTROLLABILITY
In the SCT, controllability is a requirement on the su-
pervisor to never allow the controlled closed-loop system
to reach a global state where the plant can generate an
uncontrollable event that is not enabled by the specifi-
cation. If this requirement is fulfilled, the plant cannot
uncontrollably take the closed-loop system outside of the
specification. If the specification is not controllable, syn-
thesis will in the typical case restrict, or in some cases
expand, the specification within the limits set by the plant,
to make it controllable and hence usable as a supervisor.
Note that there is a duality between the specification and
the supervisor, in so far as if the specification is initially
already controllable with respect to the plant, then the
specification is immediately the supervisor.
IOCO on the other hand, places a requirement on the
implementation such that in each global state that the
specification and implementation can reach together, the
implementation does not enable any output that is not
enabled by the specification. If this does not hold, either
the implementation is considered faulty and must be
altered to become IOCO with respect to the specification,
or the specification is considered to restrictive and is
altered to make the implementation IOCO with respect to
to the specification. Contrary to the SCT, IOCO-testing
does not include any techniques to automatically do the
necessary alterations.
Comparing expressions (5) and (12), not only are they
syntactically similar, but if we regard the implementation
as a plant, and the uncontrollable events as outputs from
the plant, the two expressions are equivalent.
To further elaborate the equivalence between controlla-
bility and IOCO, consider the example of LTSs shown
in Fig 2. In the example, we have an implementation G
and two different specifications S1 and S2. First, we try to
establish the IOCO relation using Definition 9. To check
the IOCO relation, we first apply the definition to G with
respect to S1 and then with respect to S2.
Fig. 2. Implementation/plant G (left), and specifications
S1 (middle) and S2 (right).
Table 1. IOCO Testing for G and S1
traces(S1) outs(G after t) outs(S1 after t)
 ∅ {!f1, !f2}
s1 {!f1} {!f1, !f2}
s1.!f1 ∅ ∅
s1.!f1.s2 {!f2} {!f1, !f2}
s1.!f1.s2.!f2 ∅ {!f1, !f2}
s1.!f1.s1 {!f1} ∅
According to the IOCO definition, the first step is to
analyze all traces in S1 and G individually and then
compute the outs(·) i.e. possible outputs from the reached
state after the execution of each trace.
In the case of G and S1, we start to evaluate traces
possible in S1 from the global initial state 〈p0, q0〉. As
can be seen from Table 1, the IOCO relation holds for
five traces only. For the sixth trace in S1 i.e. the trace
s1.!f1.s1 Definition 9 does not hold.
To check the failure of the IOCO relation, we analyze the
LTS of both S1 and G to verify the sixth trace mentioned
in Table 1. It can be seen that, outs(G after s1.!f1.s1) =
{!f1}, while outs(S1 after s1.!f1.s1) = ∅. Hence, the
IOCO relation does not hold in this trace because the
outs(·) possible from G is not a subset of specification S1.
Thus, the LTS G is not IOCO with respect to S1. Now,
we analyze the above two LTS i.e G and S1 to check the
property of controllability.
From the perspective of controllability, It can be seen that,
the outs(·) i.e. the uncontrollable events of G are not the
subset of outs(·) of S1 after the trace s1.!f1.s1. Hence,
the property of controllability does not hold in case of S1
and G.
Now, we see that G is not IOCO with respect to S1 and
at the same time S1 is not controllable with respect to
G. Usually in a scenario where the specification is not
controllable with respect to G, synthesis is carried out to
make the specification controllable with respect to G. The
synthesis result is presented in Section 5. Next we will
check if G is IOCO with respect to S2 and at the same
time if S2 is controllable or not with respect to G.
To check the property of controllability and the IOCO
testing relation, first we apply the IOCO definition to G
with respect to S2. Again, all traces have to be analyzed
in S2 and G individually and the outs(·) are compared,
i.e the possible outputs from the reached state after the
execution of each trace.
In the case of G and S2, we start to evaluate traces
possible in S2 from the global initial state 〈p0, r0〉. As can
be seen from Table 2, all traces mentioned complies with
Table 2. IOCO Testing for G and S2
traces(S2) outs(G after t) outs(S2 after t)
 ∅ {!f1, !f2}
s1 {!f1} {!f1, !f2}
s1.!f1 ∅ {!f2}
s1.!f1.s2 {!f2} {!f1, !f2}
s1.!f1.s2.!f2 ∅ {!f1, !f2}
s1.!f1.s1.s2.!f2.s1 {!f1, !f2} {!f1, !f2}
Definition 9. Hence, the IOCO relation holds because the
outs(·) possible from G is a subset of specification S2.
Thus, the LTS G is IOCO with respect to S2.
Here, it can be argued that we have to evaluate all the
possible traces in S2 to state that the IOCO relation
holds. As can be seen from Figure 2, there are infinitely
many traces possible in S2. Evaluation of every trace
will be an exhausting task, also every time a new trace
is evaluated the string gets longer, hence the testing of the
IOCO relation becomes tedious.
In both cases the six evaluated traces exhaust the possible
global state space of G and S1, and G and S2, respectively.
Hence, traces should be evaluated until all possible state
combinations have been checked.
The main reason for the condition mentioned above is,
outs i.e. the uncontrollable events are evaluated from
the state reached after the executed trace for the IOCO
relation. Thus, if all possible combinations of states have
been explored for IOCO by using a finite number of traces,
testing can be called sound. Applying the same condition
for trace evaluation in case of S2 and G, it is evident that,
after evaluating six traces all possible state combinations
have been explored and the IOCO relation holds in every
state. Hence, G is IOCO with respect to S2.
Now to check the property of controllability, that is,
whether S2 is controllable with respect to G, we have to
check the outs (uncontrollable events) from G and S2.
From Table 2, it is evident that for every trace stated,
all uncontrollable events of G are in S2, hence S2 is
controllable with respect to G.
When altering an implementation that is non-IOCO with
respect to a specification, the obvious thing seems to be
to restrict the behavior of the implementation so that it
becomes IOCO with respect to the specification, in much
the same way as to what synthesis does when generating a
supervisor. If on the other hand for a non-IOCO system the
specification is to be altered, then again this can be done
by synthesis but now expanding the specification to make
the implementation IOCO. The next section elaborates on
these two possibilities.
5. SYNTHESIS
If the specification and the plant do not conform to each
other according to controllability or IOCO, there prefer-
ably should be some algorithmic way to remedy the sit-
uation. Within the SCT, this is called synthesis, and it
creates a supervisor that is by construction controllable
with respect to the plant. There are two basic ways to do
synthesis given a plant G and a specification K, either to
calculate the supremal controllable sublanguage, denoted
supC(G||K), or calculating the infimal controllable su-
Fig. 3. Synthesis result for G and S1. Left, supremal
controllable sublanguage. Right, infimal controllable
superlanguage.
perlanguage, denoted inf C(G||K). It is known (Ramadge
and Wonham, 1987; Cassandras and Lafortune, 2009) that
both of those languages always exist, are computable (in
the regular case), and are unique; however, supC(G||K)
may be the empty language (signifying that no useful
solution exists) while inf C(G||K) may be the entire plant.
The result of calculating the supremal controllable sub-
language of S1 with respect to G, using the tool Suprem-
ica (Malik et al., 2017), is shown in Fig. 3 left, denoted
by supC(G||S1). Let us call this automaton S, and it
is such that L(S) = supC(G||S1) ⊆ L(G)
⋂
L(S1). S
would be a supervisor able to control the plant G to always
remain within the specification K. However, in a testing
setting we can use S as a replacement for G, which is not
IOCO with respect to S1. This can be done since S1 is
controllable with respect to S, and hence S is IOCO with
respect to S1, as is straightforwardly proven. So, in place
of the originally given implementation G (Fig 2), which
allows arbitrary sequences of s1.!f1 and s2.!f2 loops, the
restricted implementation supC(G||S1) of Fig 3, which
only allows s1.!f1.s2.!f2 loops, can be used, and this is
IOCO with respect to S1. In practice, S could be given
as feedback to a developer and used as specification for
what should be implemented, guiding the developer in
correcting the implementation.
However, in some cases restricting the implementation to
be IOCO with respect to the specification may not be a
good alternative. One such case would be when supC(·)
is empty. Then, instead of restricting the implementation,
the specification can be enlarged. This is done by calculat-
ing the infimal controllable superlanguage. For S1 and G,
the result of this calculation, inf C(G||S1), using the tool
DESUMA (Ricker et al., 2006), is shown in Fig. 3, right.
In this case the original implementation G is now IOCO
with respect to the enlarged specification inf C(G||S1),
or equivalently, the enlarged specification inf C(G||S1)
is controllable with respect to the original plant G. In
practice, inf C(G||S1) could be given as feedback to a
developer help understanding what needs to be relaxed
for the implementation to be valid.
In the development of a safety-critical system, restricting
the implementation to the supremal controllable sublan-
guage would seem to be most appropriate, as this guar-
antees that the implementation never breaks the specifi-
cation. However, for large systems it is not easy to assess
whether important parts of the implementation behavior
have been removed by the synthesis, the only guarantee
is that the restricted implementation is safe with respect
to the specification, not that all of the specification is
achieved. On the other hand, enlarging the specification to
make the given implementation IOCO, adds behavior from
the implementation to the specification, and it might not
be easily assessed exactly what behavior has been added,
other than that this is behavior that breaks the original
specification. So, both alternatives of algorithmic remedy
for a non-IOCO system seem appropriate in a testing
setting, but the particular choice seems very application
dependent.
6. CONCLUSIONS
The relationship between the controllability property from
the SCT defined to guarantee well-behaved supervisory
control, and the IOCO property used for conformance
testing of an implementation relative a specification, has
been examined. It is shown that under the interpretation of
the uncontrollable events as outputs from the plant, and
viewing the implementation as the plant, the two prop-
erties are equivalent. From a controllability perspective
the supremal controllable sublanguage of the specification
seems to make the most sense, as this guarantees that
the controlled system always remains within the speci-
fication; only in the case where the resulting supervisor
is too restrictive, such as the degenerate null supervisor,
would the infimal controllable superlanguage seem appro-
priate. However, controllability poses a requirement on
the specification, whereas IOCO poses a requirement on
the implementation, and so correcting a non-conforming
system could more reasonably be done by either the supre-
mal controllable sublanguge, or the infimal controllable
superlanguge. In the first case the implementation would
be restricted to be IOCO with respect to the specification,
while in the latter case the specification would be extended
to make the implementation IOCO.
There exist efficient methods to asses whether a system
of plants and specifications are controllable, such as the
modular approaches (de Queiroz and Cury, 2000; A˚kesson
et al., 2002). The equivalence between controllability and
IOCO means that those methods can also be used to
efficiently assess whether a system consisting of implemen-
tation and specification components is IOCO. This idea
is investigated by Van Der Bijl et al. (2003), where it
is shown that the IOCO relation is suitable (under some
restrictions) for compositional testing, but no algorithm to
assess whether a modular system is IOCO is given.
For non-deterministic systems, neither controllability nor
the IOCO relation are detailed enough to capture the
necessary relations between the plant/implementation and
the specification. Several generalizations have been pro-
posed, among them the process theoretic notions of par-
tial bisimulation (Baeten et al., 2011) for controllability,
and the input-output conformance simulation (Gregorio-
Rodr´ıguez et al., 2013). In future work we will examine
the relation between these two properties.
REFERENCES
A˚kesson, K., Flordal, H., and Fabian, M. (2002). Exploit-
ing modularity for synthesis and verification of supervi-
sors. IFAC Proceedings Volumes, 35(1), 175 – 180. 15th
IFAC World Congress.
Baeten, J., Van Beek, D., Luttik, B., Markovski, J.,
and Rooda, J. (2011). A process-theoretic approach
to supervisory control theory. In American Control
Conference (ACC), 2011, 4496–4501. IEEE.
Balemi, S. (1992). Control of discrete event systems: theory
and application. Ph.D. thesis, Swiss Federal Institute of
Technology, Zu¨rich, Switzerland.
Cassandras, C. and Lafortune, S. (2009). Introduction
to Discrete Event Systems. SpringerLink Engineering.
Springer US.
de Queiroz, M.H. and Cury, J.E.R. (2000). Modular
supervisory control of large scale discrete event systems.
In S.G. Boel R. (ed.), Discrete Event Systems: Analysis
and Control, 103–110. Springer US, Boston, MA.
Gregorio-Rodr´ıguez, C., Llana, L., and Mart´ınez-Torres,
R. (2013). Input-output conformance simulation (iocos)
for model based testing. In Formal Techniques for
Distributed Systems, 114–129. Springer.
Malik, R., A˚kesson, K., Flordal, H., and Fabian, M. (2017).
Supremica-an efficient tool for large-scale discrete event
systems. In IFAC World Congress, Tolouse, France.
Ramadge, P.J. and Wonham, W.M. (1987). Supervisory
control of a class of discrete event processes. SIAM
Journal on Control and Optimization, 25(1), 206–230.
doi:10.1137/0325013.
Ricker, L., Lafortune, S., and Genc, S. (2006). DESUMA:
A tool integrating GIDDES and UMDES. In 2006
8th International Workshop on Discrete Event Systems,
392–393. doi:10.1109/WODES.2006.382402.
Tretmans, G. (1996). Test generation with inputs, out-
puts and repetitive quiescence, 1996. URL http://doc.
utwente. nl/65463, 46.
Utting, M. and Legeard, B. (2007). Practical Model-
Based Testing: A Tools Approach. Morgan Kaufmann
Publishers Inc., San Francisco, CA, USA.
Van Der Bijl, M., Rensink, A., and Tretmans, J. (2003).
Compositional testing with IOCO. In Formal Ap-
proaches to Software Testing, volume LNCS 2931, 86–
100. Springer.
