Compositional supervisor synthesis with state merging and transition removal by Mohajerani, Sahar et al.
Working Paper Series
ISSN 1177-777X
COMPOSITIONAL SUPERVISOR SYNTHESIS WITH
STATE MERGING AND TRANSITION REMOVAL
Sahar Mohajerani, Robi Malik, Martin Fabian
Working Paper: 02/2016
January 26, 2016
c©Sahar Mohajerani, Robi Malik, Martin Fabian
Department of Computer Science
The University of Waikato
Private Bag 3105
Hamilton, 3240
New Zealand
COMPOSITIONAL SUPERVISOR SYNTHESIS WITH
STATE MERGING AND TRANSITION REMOVAL
Sahar Mohajerani
Vehicle Dynamics and Active Safety Center
Volvo Cars Corporation
Go¨teborg, Sweden
sahar.mohajerani@volvocars.com
Robi Malik
Department of Computer Science
The University of Waikato
Hamilton, New Zealand
robi@waikato.ac.nz
Martin Fabian
Department of Signals and Systems
Chalmers University of Technology
Go¨teborg, Sweden
fabian@chalmers.se
January 26, 2016
Abstract
This working paper proposes a framework to obtain memory-efficient supervisors for
large discrete event systems, which are least restrictive, controllable, and nonblocking.
The approach combines compositional synthesis and state-based abstraction with tran-
sition removal to mitigate the state-space explosion problem and reduce the memory
requirements. Hiding and nondeterminism after abstraction are also supported. To en-
sure least restrictiveness after transition removal, the synthesised supervisor has the form
of cascaded maps representing the safe states. These maps have lower space complexity
than previous automata-based supervisors. The algorithm has been implemented in the
DES software tool Supremica and applied to compute supervisors for several large indus-
trial models. The results show that supervisor maps can be computed efficiently and in
many cases require less memory than automata-based supervisors.
1 Introduction
Supervisory control theory [25] provides a general framework to synthesise supervisors for
discrete event systems, which restrict the system behaviour such that a given specification is
fulfilled. To synthesise a supervisor, the set of states in which the specification is satisfied,
the so-called safe states, is calculated. The straightforward approach to find the safe states
1
explores the complete system state space. This may be a problem for systems with a large
number of components due to state-space explosion, which can cause the synthesis algorithm
to take prohibitively long time or result in supervisors that are too large to implement.
To overcome state-space explosion, various approaches for modular, compositional, and
symbolic synthesis have been proposed. With modular synthesis [2,4], the calculated supervi-
sor is only least restrictive and controllable, but not necessarily nonblocking. Compositional
methods [10] are based on the idea of repeatedly simplifying and computing partial supervi-
sors while composing the system gradually. In [7, 27, 33], natural projection with additional
restrictions of output control consistency or local control consistency is used for simplifica-
tion. The methods in [9,15] allow for the removal of observable events through hiding. In [9],
a least restrictive, controllable and nonblocking supervisor is constructed in symbolic form
using state labels. Yet, the state labels are also needed during abstraction, which makes
some abstraction impossible. State labels are avoided in [15], where a two-pass algorithm
for compositional synthesis is proposed. Yet, the supervisor is an over-approximation and an
additional nonblocking check is necessary.
In [21], weak synthesis observation equivalence is used to merge states, which has bet-
ter abstraction potential compared to projection-based abstraction [22]. In addition to state
merging, halfway synthesis [9] is used to remove blocking states early. To enable the super-
visor to make correct control decisions, hiding is avoided and renaming is used to resolve
nondeterminism after abstraction. The result is a set of automata that form a modular least
restrictive, controllable, and nonblocking supervisor. Having modular supervisors reduces the
memory requirement to some extent.
While state merging and state removal can reduce the complexity, there usually are a lot
more transitions than states, and removing transitions can further reduce the memory usage.
Transition removal is problematic in [21] where the supervisors have the form of automata and
may fail to be least restrictive after the removal of transitions. A solution using redirection
maps is described in [20]. However, it is not straightforward for the redirection maps to be
combined with renaming and state merging abstraction, and therefore transition removal is
the only abstraction method in [20].
Another approach is to compute symbolic representations of supervisors. In [14], Petri
Net supervisors are represented in the form of linear constraints. In [30], the set of safe
states of a system of synchronised automata is calculated in the form of a binary decision
diagram (BDD) [5], which in [17] is attached to the original model to define a supervisor in
the form of guard formulas. While these methods provide least restrictive, controllable and
nonblocking supervisors, the resulting constraints and guard formulas may be complicated
despite substantial effort to minimise them.
This working paper presents an improved compositional synthesis approach that produces
more memory-efficient supervisors. Hiding and nondeterminism are supported. Moreover, the
state-based abstraction methods [21] are enhanced with certainly unsupervisable states [31]
and combined with transition removal [20].
2
This becomes possible by producing a supervisor in the form of a cascaded map that
represents the set of safe states. This is similar to forming hierarchical groups of states and
transitions as in Statecharts [11], except that the groupings are computed automatically as
part of the abstraction process. The cascaded map is compact and used directly to control the
system without the need to extract complicated guards. The space complexity of supervisor
maps and supervisor automata [21] is compared, and it is shown that the supervisor maps
require less memory. This is particularly important when the supervisor is implemented in
devices with limited memory such as PLCs.
The improved compositional synthesis algorithm has been implemented in the DES soft-
ware tool Supremica [1] and applied to compute supervisors for several large industrial models.
The performance of the algorithm is compared with the previously implemented compositional
synthesis algorithm [21]. Both algorithms successfully compute supervisors, even for systems
with more than 1017 reachable states, within a few seconds or minutes. For most examples,
the supervisor maps require less memory than the supervisor automata as is expected from
the space complexity analysis.
In the following, Section 2 briefly introduces the background of supervisory control the-
ory. Next, Section 3 explains the framework of compositional synthesis. Section 4 presents
different ways of computing abstractions that preserve the synthesis result. Section 5 de-
scribes the control architecture based on cascaded maps, while Section 6 briefly describes
the automata-based control architecture [21] and compares it to the map-based architecture.
Then, Section 7 shows experimental results obtained by applying the algorithms to several
benchmark examples, and Section 8 adds concluding remarks.
2 Preliminaries
2.1 Events and Languages
Discrete event systems [25] are modelled using events and states. Events represent incidents
that cause transitions from one state to another and are taken from a finite alphabet Σ. For
the purpose of supervisory control, the alphabet is partitioned into two disjoint subsets, the
set Σc of controllable events and the set Σu of uncontrollable events. Controllable events can
be disabled by a supervising agent, while uncontrollable events are always enabled. There are
three special events called τc, τu, and ω. The silent controllable event τc ∈ Σc and the silent
uncontrollable event τu ∈ Σu label transitions that are not taken by any component other
than the one being considered. The termination event ω ∈ Σc is used to show completion of
a task.
The set of all finite traces of events from Σ, including the empty trace ε, is denoted by Σ∗.
A subset L ⊆ Σ∗ is called a language. The concatenation of two traces s, t ∈ Σ∗ is written
as st. The natural projection P : Σ∗ → (Σ \ {τc, τu})
∗ is the operation that removes from
traces s ∈ Σ∗ all occurrences of the silent events τc and τu.
3
2.2 Finite-State Automata
System behaviours are typically modelled by deterministic automata, but nondeterministic
automata may arise as intermediate results during abstraction.
Definition 1 A (nondeterministic, finite) automaton is a tuple G = 〈Σ, Q,Q◦,→〉, where
Σ is a finite set of events, Q is a finite set of states, Q◦ ⊆ Q is the set of initial states,
→ ⊆ Q× Σ×Q is the state transition relation.
The transition relation is written in infix notation x
σ
→ y, and is extended to traces and
languages in the standard way. For example, x
τ∗uσ−−→ y means that there exists a possibly empty
sequence of τu-transitions followed by a σ-transition leading from state x to y. Furthermore,
x
s
→ means x
s
→ y for some y ∈ Q. These notations also apply to state sets and to automata:
X
s
→ Y for X,Y ⊆ Q means x
s
→ y for some x ∈ X and y ∈ Y , and G
s
→ x means Q◦
s
→ x.
The termination event ω denotes completion of a task and does not appear anywhere
else but to mark such completions. It is required that states reached by ω do not have any
outgoing transitions, i.e., if x
ω
→ y then there does not exist σ ∈ Σ such that y
σ
→. This
ensures that the termination event, if it occurs, is always the final event of any trace. The
traditional set of marked states is Qω = {x ∈ Q | x
ω
→} in this notation.
The interaction between automata is modelled by lock-step synchronisation [12]. An
event shared between a set of automata, must be executed by all the automata together
synchronously, while events used by only one automaton (and the silent events τc and τu) are
executed by only that automaton.
Definition 2 The synchronous composition of two automata G1 = 〈Σ1, Q1, Q
◦
1,→1〉 and
G2 = 〈Σ2, Q2, Q
◦
2,→2〉 is
G1 ‖G2 = 〈Σ1 ∪ Σ2, Q1 ×Q2, Q
◦
1 ×Q
◦
2,→〉 (1)
where
• (x1, x2)
σ
→ (y1, y2), if σ ∈ (Σ1 ∩ Σ2) \ {τc, τu}, x1
σ
→1 y1, and x2
σ
→2 y2;
• (x1, x2)
σ
→ (y1, x2), if σ ∈ (Σ1 \ Σ2) ∪ {τc, τu} and x1
σ
→1 y1;
• (x1, x2)
σ
→ (x1, y2), if σ ∈ (Σ2 \ Σ1) ∪ {τc, τu} and x2
σ
→2 y2.
A common operation in compositional synthesis is hiding, which replaces events from a
given set Υ by the silent events τc and τu, depending on whether the event to be replaced is
controllable or uncontrollable.
Definition 3 [9] Let G = 〈Σ, Q,Q◦,→〉 be an automaton and Υ ⊆ Σ. The result of
controllability-preserving hiding of Υ from G is G \! Υ = 〈Σ \ Υ, Q,→!, Q
◦〉, where →! is
4
obtained from → by replacing each transition x
σ
→ y such that σ ∈ Υ by x
τc→ y if σ ∈ Σc or
by x
τu→ y if σ ∈ Σu.
Another common automaton operation is the quotient modulo an equivalence relation on
the state set.
Definition 4 Let X be a set. A relation ∼ ⊆ X × X is called an equivalence relation
on X if it is reflexive, symmetric, and transitive. Given an equivalence relation ∼ on X, the
equivalence class of x ∈ X is [x] = {x′ ∈ X | x ∼ x′ }, and X/∼ = { [x] | x ∈ X } is the set of
all equivalence classes modulo ∼.
Definition 5 Let G = 〈Σ, Q,Q◦,→〉 be an automaton and let ∼ ⊆ Q×Q be an equivalence
relation. The quotient automaton of G modulo ∼ is
G/∼ = 〈Σ, Q/∼,→/∼, Q˜◦〉 , (2)
where →/∼ = { ([x], σ, [y]) | x
σ
→ y } and Q˜◦ = { [x◦] | x◦ ∈ Q◦ }.
2.3 Supervisory Control Theory
Supervisory control theory [25] provides a means to automatically compute a so-called super-
visor that controls a given system to fulfil some desired functionality. Given an automata
model of the possible behaviour of a physical system, called the plant, a supervisor is sought to
restrict the behaviour in such a way that only a certain subset of the state space is reachable.
The supervisor is implemented as a control function
Φ: Q → 2Σ×Q (3)
that assigns to each state x ∈ Q the set Φ(x) of transitions to be enabled in this state. That
is, a transition x
σ
→ y with σ ∈ Σc will only be possible under the control of supervisor Φ
if (σ, y) ∈ Φ(x). Transitions with uncontrollable events cannot be disabled, so it is required
that Σu ×Q ⊆ Φ(x) for all x ∈ Q.
In a deterministic system, the supervisor can be viewed more simply as a function
Φdet : Q → 2
Σc (4)
that assigns to each state the set of enabled controllable events. In a nondeterministic system,
the supervisor (3) can be enable and disable transitions with controllable events individually,
i.e., if a state x has more than one outgoing transition with the same controllable event σ, then
the supervisor may disable some of them while leaving others enabled [9]. This is justified
by the modelling assumptions of this working paper, where the nondeterminism is the result
of abstraction, and it is assumed that the supervisor knows the complete system and can
distinguish all transitions.
5
Definition 6 [9] G1 = 〈Σ, Q1, Q
◦
1,→1〉 is a subautomaton of G2 = 〈Σ, Q2, Q
◦
2,→2〉, written
G1 ⊆ G2, if Q1 ⊆ Q2, Q
◦
1 ⊆ Q
◦
2, and →1 ⊆ →2.
A subautomatonK ofG consists of a subset of the states and transitions ofG. It represents
a supervisor that enables only those transitions present in K, i.e., it implements the control
function
ΦK(x) = (Σu ×Q) ∪ { (σ, y) ∈ Σc ×Q | x
σ
→K y } . (5)
Not every subautomaton of G can be implemented through control—the property of control-
lability [25] characterises those behaviours that can be implemented.
Definition 7 [9] Let G = 〈Σ, QG, Q
◦
G,→G〉 and K = 〈Σ, QK , Q
◦
K ,→K〉 such that K ⊆ G.
Then K is called controllable in G if, for all states x ∈ QK and y ∈ QG and for every
uncontrollable event υ ∈ Σu such that x
υ
→G y, it also holds that x
υ
→K y.
If a subautomaton K is controllable in G, then K must contain all uncontrollable transi-
tions in G that originate from a state of K. Controllability ensures that the supervisor can
be implemented without disabling any uncontrollable events. In addition to controllability,
the supervised behaviour is typically required to be nonblocking.
Definition 8 [16] An automaton G = 〈Σ, Q,Q◦,→〉 is nonblocking, if for every state x ∈ Q
and every trace s ∈ (Σ \ {ω})∗ such that G
s
→ x, there exists t ∈ (Σ \ {ω})∗ such that x
tω
→.
Given a plant automaton G, the objective of supervisor synthesis [25] is to compute a
subautomaton K ⊆ G, which is controllable and nonblocking and restricts the behaviour of G
as little as possible. The set of subautomata of G forms a lattice, and the upper bound of
a set of controllable and nonblocking subautomata in this lattice is again controllable and
nonblocking.
Theorem 1 [9] Let G = 〈Σ, Q,Q◦,→〉 be an automaton. There exists a unique subau-
tomaton supC(G) ⊆ G such that supC(G) is nonblocking and controllable in G, and such that
for every subautomaton S ⊆ G that is also nonblocking and controllable in G, it holds that
S ⊆ supC(G).
The subautomaton supC(G) represents the unique least restrictive controllable and non-
blocking sub-behaviour of G that can be achieved by any possible supervisor. It can be
computed by iteratively removing blocking states and states leading to blocking states via
uncontrollable events, according to the following definitions, until a fixpoint is reached [9].
Definition 9 [9] The restriction of G = 〈Σ, Q,Q◦,→〉 to X ⊆ Q is
G|X = 〈Σ, Q,→|X , Q
◦ ∩X〉 , (6)
where →|X = { (x, σ, y) ∈ → | x, y ∈ X } ∪ { (x, ω, y) ∈ → | x ∈ X }.
6
Definition 10 [9] Let G = 〈Σ, Q,Q◦,→〉 be an automaton. The synthesis step operator
ΘG : 2
Q → 2Q for G is defined as ΘG(X) = Θ
cont
G (X) ∩Θ
nonb
G (X), where
ΘcontG (X) = {x ∈ Q | for all transitions x
υ
→ y with υ ∈ Σu it holds that y ∈ X } ; (7)
ΘnonbG (X) = {x ∈ Q | x
tω
→|X for some t ∈ Σ
∗ } . (8)
Given a state set X ⊆ Q, the operator ΘcontG removes from X any states that have an
uncontrollable successor not contained in X, and ΘnonbG removes any states from where it is
not possible to execute the termination event ω using only transitions contained in X. Thus,
ΘcontG captures controllability and Θ
nonb
G captures the nonblocking property. Both operators
and their combination ΘG are monotonic, and it follows by the Knaster-Tarski theorem [29]
that they have greatest fixpoints. The least restrictive synthesis result supC(G) is obtained
by restricting G to the greatest fixpoint of ΘG.
Theorem 2 [9] Let G = 〈Σ, Q,Q◦,→〉. The synthesis step operator ΘG for G has a greatest
fixpoint ΘˆG = gfpΘG ⊆ Q, such that G|ΘˆG is the greatest subautomaton of G that is both
controllable in G and nonblocking, i.e., supC(G) = G|ΘˆG .
The operator supC only defines the synthesis result for a plant automaton G. In order to
apply this synthesis to control problems that also involve specifications, the transformation
proposed in [9] is used. Specification automata are transformed into plants by adding, for
every uncontrollable event that is not enabled in a state, a transition to a new blocking state⊥.
This transforms all potential controllability problems into potential blocking problems.
3 Compositional Synthesis
This section gives an overview of the compositional synthesis framework. The input to com-
positional synthesis is an arbitrary set of deterministic automata representing the plant to be
controlled,
G0 = {G1, G2, . . . , Gn} . (9)
The objective is to calculate a supervisor that constrains the behaviour of G0 to its least
restrictive nonblocking sub-behaviour, by disabling only controllable events.
Compositional synthesis works by repeated abstraction of system components. Using
abstraction, some components Gi in (9) are replaced by simpler versions G
′
i. If this is no
longer possible, then some components are composed, i.e., replaced by their synchronous
composition, which can then be simplified using abstraction. This procedure eventually leads
to a single automaton that after abstraction is simpler than the original system. The final
step is to perform standard synthesis [25] on this last relatively small automaton.
To obtain a supervisor from the synthesis result, Theorem 2 suggests that it is enough to
compute the set ΘˆG0 of safe states. This set can be obtained from the synthesis result of the
7
final abstraction, if it is known how the states of the original system G0 have been abstracted.
Therefore compositional synthesis does not only keep track of an abstracted system G, but
also of a map µ that links the states of the original plant G0 at the start of the algorithm to the
states of the current abstraction. The abstracted system G and the map µ are combined in a
synthesis pair, which is the main data structure manipulated by the compositional synthesis
algorithm.
Definition 11 Let G0 be a set of automata. A synthesis pair for G0 is a pair (G;µ), where
G is a set of automata and µ is a map µ : QG0 → QG .
In Definition 11, QG represents the set of states of the synchronous composition of G.
Synthesis pairs replace synthesis triples [21]. Synthesis pairs are simpler than synthesis triples,
which in addition contain supervisor automata and renaming information, while synthesis
pairs only contain the information that leads to the set of safe states.
While manipulating synthesis pairs, the compositional synthesis algorithm maintains the
invariant that all generated pairs have the same synthesis result, which is equivalent to the
least restrictive solution of the original control problem (9). Every abstraction step must
ensure that the synthesis result is the same as it would have been for the non-abstracted
components. This property is called synthesis equivalence.
Definition 12 Let (G1;µ1) and (G2;µ2) be two synthesis pairs for G0. Then (G1;µ1) and
(G2;µ2) are synthesis equivalent, written (G1;µ1) ≃synth (G2;µ2), if for all x ∈ QG0 it holds
that µ1(x) ∈ ΘˆG1 if and only if µ2(x) ∈ ΘˆG2 .
At the beginning of compositional synthesis on input G0, no states have been abstracted,
so the initial synthesis pair is (G0; id), where id : QG0 → QG0 is the identity map, i.e, id(x) = x
for all x ∈ QG0 . This initial pair is abstracted repeatedly such that synthesis equivalence is
preserved,
(G0; id) ≃synth (G1;µ1) ≃synth · · · ≃synth (Gk;µk) . (10)
Some of these steps replace an automaton in Gk by an abstraction, others reduce the number
of automata in Gk by synchronous composition. The algorithm terminates when Gk contains
a single automaton, for which the synthesis solution ΘˆGk is computed. As each step in (10)
preserves synthesis equivalence, a state x of the original system G0 is safe, i.e., x ∈ ΘˆG0 , if and
only if the state that x is mapped to by the final map µk is contained in the final synthesis
result, i.e., µk(x) ∈ ΘˆGk . This information is enough to implement a supervisor as explained
below in Section 5.
4 Abstraction Methods
Compositional synthesis is a series of steps to rewrite synthesis pairs into equivalent synthesis
pairs such that synthesis equivalence is preserved. In the following, Section 4.1 introduces
8
the general concepts of hiding and state-wise synthesis abstraction. Then Sections 4.2–4.5
describe the methods to simplify and compose automata, namely the removal of certainly un-
supervisable states [31], the merging of states based on synthesis observation equivalence [21],
transition removal [20], and the fallback method of synchronous composition. All the meth-
ods are adapted in the synthesis pair framework, and it is shown how the supervisor map is
constructed after each abstraction. Finally, Section 4.6 gives an example to show how these
methods work together to compute a supervisor.
4.1 Hiding and State-wise Synthesis Abstraction
Simplification in compositional synthesis is based on local events. An event that appears in
only one of the components of the system (9) is called local. These events are not needed for
synchronisation, so their identity is irrelevant and they can be removed using controllability-
preserving hiding (Definition 3). This replaces them by the silent events τc and τu, which are
used by most simplification methods.
After hiding, various methods have been proposed to simplify a single automaton without
further considering the remainder of the system [9, 20, 21]. The following definition of state-
wise synthesis abstraction provides a general description that captures all the abstractions in
the following subsections.
Definition 13 Let G = 〈Σ, QG, Q
◦
G,→G〉 and H = 〈Σ, QH , Q
◦
H ,→H〉 be two automata. A
map µ : QG → QH is a state-wise synthesis abstraction from G to H, if for all automata
T = 〈ΣT , QT , Q
◦
T ,→T 〉 and for all states xT ∈ QT and xG ∈ QG the following equivalence
holds:
(xG, xT ) ∈ ΘˆG‖T if and only if (µ(xG), xT ) ∈ ΘˆH‖T .
State-wise synthesis abstraction is defined by a map that relates states of a single automa-
ton G before and after abstraction if they have the same synthesis behaviour in every possible
environment T . That is, no matter what other automaton G is composed with, either both
the original and the abstracted states are removed in synthesis, or none of them are removed.
The following proposition confirms that the state-wise synthesis abstraction of an automaton
preserves synthesis equivalence of the complete synthesis pairs.
Proposition 3 Let (G;µ) be a synthesis pair for G0 with G = {G1, . . . , Gn}. Let µ1 be a state-
wise synthesis abstraction from G1 to H1, let H = {H1, G2, . . . , Gn}, and let µ˜1 : QG → QH
such that µ˜1(y1, y2, . . . , yn) = (µ1(y1), y2, . . . , yn). Then (G;µ) ≃synth (H; µ˜1 ◦ µ).
Proof. Let x ∈ QG0 and µ(x) = (y1, . . . , yn).
First assume µ(x) ∈ ΘˆG . This means (y1, . . . , yn) ∈ ΘˆG = ΘˆG1‖···‖Gn . Considering T =
G2‖· · ·‖Gn in Definition 13, it holds that µ˜1(µ(x)) = µ˜1(y1, y2, . . . , yn) = (µ1(y1), y2, . . . , yn) ∈
ΘˆH1‖G2‖···‖Gn = ΘˆH.
G unsupC(G) H C C˜
p0
p1
p2
p3
⊥ τc
τc
τu τu
α
α
!υ
!υ
τc
τc
τc τc
p0
p1 p2
⊥
τc
τu
α
!υ
!υ
τcτc
τc
p0
p1 p2
⊥
τc
τu
α
!υ
!υ
τc
c0 c1
c2 c3 c4
α ατu
τu
!υ
c′0
c′1 c
′
2 c
′
3
α α
!υ
Figure 1: Example automata and abstractions.
Conversely assume that µ˜1(µ(x)) ∈ ΘˆH. This means (µ1(y1), y2, . . . , yn) = µ˜1(y1, . . . ,
yn) = µ˜1(µ(x)) ∈ ΘˆH = ΘˆH1‖G2‖···‖Gn . Considering T = G2 ‖ · · ·‖Gn in Definition 13, it holds
that µ(x) = (y1, . . . , yn) ∈ ΘˆG1‖···‖Gn = ΘˆG . ✷
4.2 Removal of Certainly Unsupervisable States
For some states of an automaton G, it is known that they must be avoided by synthesis in
every possible context. That is, no matter what other automata are later composed with G, it
is clear that these states are unsafe. Blocking states are examples of such states, but there are
more states with this property. Halfway synthesis [9] is a simple method to find and remove
such states. Even though halfway synthesis works well in compositional synthesis [21], it does
not identify all the removable states. The largest set of removable states is known as the
set of certainly unsupervisable states [31]. In the following, their removal is adapted to the
synthesis pair framework.
Definition 14 [31] Let G = 〈Σ, Q,Q◦,→〉 be an automaton. The certainly unsupervisable
state set of G is
U(G) = {x ∈ Q | for every automaton T = 〈Σ, QT , Q
◦
T ,→T 〉 and every state x
T ∈ QT
it holds that (x, xT ) /∈ ΘˆG‖T } .
(11)
A state x of G is certainly unsupervisable, if there exists no other automaton T such that
the state x is present in the least restrictive synthesis result ΘˆG‖T . If a state is certainly
unsupervisable, it is known that this state will be removed by every synthesis. If such states
are encountered in an automaton during compositional synthesis, they can be removed before
composing this automaton further.
Example 1 Consider automaton G in Figure 1. Event α is controllable, and !υ is uncon-
trollable. Clearly the blocking state ⊥ is certainly unsupervisable. In addition, state p3 is
also certainly unsupervisable, because of the silent uncontrollable transition p3
τu→ ⊥. As this
transition is silent, no other component disables it, and as it is uncontrollable, the supervisor
10
cannot disable it. Therefore, if the automaton ever enters state p3, blocking is unavoidable.
State p1, however, may still be safe as some other components may disable event !υ.
A cubic-complexity algorithm [31] can be used to find all the certainly unsupervisable
states in an automaton. Then the automaton can be simplified according to the following
definition.
Definition 15 [31] Let G = 〈Σ, Q,Q◦,→〉 be an automaton. The result of unsupervisability
removal from G is the automaton
unsupC(G) = 〈Σ, Qunsup, Q
◦,→unsup〉 , (12)
where
Qunsup = (Q \ U(G)) ∪ {⊥} ; (13)
→unsup = { (x, σ, y) ∈ → | x, y /∈ U(G) } ∪ (14)
{ (x, υ,⊥) ∈ → | x /∈ U(G), υ ∈ Σu ∪ {ω}, and x
υ
→ U(G) } .
Here and in the following, the state ⊥ is assumed to be a state without any outgoing
transitions. The automaton resulting from unsupervisability removal has a state set, which is
obtained by removing certainly unsupervisable states except for ⊥. All controllable transitions
to certainly unsupervisable states are removed, as these transitions can always be disabled
by the supervisor and therefore never appear in the final synthesis result. Uncontrollable
and ω-transitions to certainly unsupervisable states, however, are retained because they are
needed to inform future synthesis steps.
Example 2 Consider again automaton G in Figure 1. To obtain unsupC(G), the certainly
unsupervisable states p3 and ⊥, identified in Example 1, are replaced by the single blocking
state ⊥. The resulting automaton is shown in Figure 1.
Proposition 4 Let G = 〈Σ, Q,Q◦,→〉 be an automaton and let the mapping µ : Q→ Qunsup
be defined by:
µ(x) =
{
x, if x ∈ Q \ U(G);
⊥, if x ∈ U(G).
(15)
Then µ is a state-wise synthesis abstraction from G to unsupC(G).
After removing the unsupervisable states, a map is generated that maps the unsupervisable
states to ⊥. Proposition 4 confirms that this is a state-wise synthesis abstraction map. The
proof follows from the results of [31].
11
4.3 Abstraction by State Merging
In addition to the removal of certainly unsupervisable states, it is of interest to merge states
with equivalent behaviour. While no method is known to identify all equivalent states in
compositional synthesis, several approximations have been proposed [21]. One of these is
weak synthesis observation equivalence, defined as follows.
Definition 16 [21] Let G = 〈Σ, Q,Q◦,→〉 be an automaton. An equivalence relation
∼ ⊆ Q×Q is a weak synthesis observation equivalence on G if the following conditions hold
for all x1, x2 ∈ Q such that x1 ∼ x2:
(i) If x1
σ
→ y1 for σ ∈ Σc, then there exists a path x2 = x
0
2
τ1→ · · ·
τn→ xn2
P (σ)
−−−→ yn+12
τn+1
−−−→
· · ·
τm→ ym+12 = y2 such that y1 ∼ y2 and,
a) if τi = τc for some i ≤ n, then x1 ∼ x
i
2;
b) if yi2
τ∗u→ z then z ∼ yj2 for some n+ 1 ≤ j ≤ m+ 1;
c) if yi2
τ∗uυτ
∗
u−−−−→ z for some υ ∈ Σu \ {τu}, then y2
τ∗uυτ
∗
u−−−−→ z′ for some z′ ∼ z.
(ii) If x1
υ
→ y1 for υ ∈ Σu, then there exist t2, u2 ∈ τ
∗
u such that x2
t2P (υ)u2
−−−−−→ y2 and y1 ∼ y2.
Proposition 5 Let G = 〈Σ, Q,Q◦,→〉 be an automaton and let ∼ ⊆ Q × Q be a weak
synthesis observation equivalence on G. Let the mapping µ : Q → Q/∼ be such that for all
x ∈ Q it holds that µ(x) = [x]. Then µ is a state-wise synthesis abstraction from G to G/∼.
After merging weakly synthesis observation equivalent states, each state x is mapped to
the equivalence class [x] in the abstracted automaton. Proposition 5 confirms that this is a
state-wise synthesis abstraction map. The proof can be found in [19].
Example 3 Consider automaton C in Figure 1, with α controllable and !υ uncontrollable.
An equivalence relation with c0 ∼ c1 is a synthesis observation equivalence on C. Merging the
equivalent states results in the synthesis equivalent nondeterministic automaton C˜ = C/∼
shown in Figure 1. Accordingly, the map µ1 such that µ1(c0) = µ1(c1) = c
′
0, µ1(c2) = c
′
1,
µ1(c3) = c
′
2, and µ1(c4) = c
′
3 is a state-wise synthesis abstraction from C to C˜.
4.4 Synthesis Transition Removal
Another way of abstracting an automaton is by removing redundant transitions. Methods to
remove transitions in compositional synthesis are described in [20], where redirection maps
are used to enable the supervisor to make control decision for the removed transitions. These
abstraction methods are not used in the compositional synthesis framework [21] as in it is not
straightforward to combine redirection maps with renaming and merging states. However,
12
there usually are much more transitions than states in an automaton, and removing transitions
can significantly decrease memory usage. All the transition removal methods in [20] are
combined in the following general definitions, and it is shown that the need for redirection
maps and the associated problems do not arise when synthesis pairs are used.
Definition 17 [20] Let G = 〈Σ, Q,Q◦,→〉 be an automaton. A path
x0
τ1→ x1
τ2→ · · ·
τk→ xk (16)
where τi ∈ {τc, τu} for 1 ≤ i ≤ k, is a weakly controllable path if for all uncontrollable
transitions xl
υ
→ y with 0 ≤ l < k it holds that υ = τu and y = xj for some 0 ≤ j ≤ k.
A weakly controllable path consists of only silent τu- and τc-transitions, and furthermore all
uncontrollable transitions enabled along this path must use the silent uncontrollable event τu
and lead to states along the path. By imposing this condition on the sequence of silent
events after a controllable event, synthesis transition removal can be defined that preserves
state-wise synthesis abstraction.
Definition 18 Let G = 〈Σ, Q,Q◦,→G〉 and H = 〈Σ, Q,Q
◦,→H〉 be two automata and
→H ⊆ →G. Automaton H is a result of synthesis transition removal from G if the following
conditions hold for all transitions x
σ
→G y.
(i) If σ ∈ Σu then x
τ∗uP (σ)τ
∗
u−−−−−−→H y.
(ii) If σ ∈ Σc then there exist t ∈ {τu}
∗ and u ∈ {τc, τu}
∗ such that x
tP (σ)
−−−→H z
u
→H y, and
z
u
→G y is a weakly controllable path.
Example 4 Consider automaton unsupC(G) in Figure 1 where α is a controllable event and
!υ is an uncontrollable event. Applying synthesis transition removal to unsupC(G) removes
transitions p1
τc→ p0 because of p1
τu→ p2
τc→ p0, and p0
τc→ p0 because of p0
ε
→ p0. Their removal
results in H shown in Figure 1.
No states are merged when removing transitions, so the identity map is a state-wise
synthesis abstraction map after synthesis transition removal.
Proposition 6 Let H be the result of synthesis transition removal from G. Then the identity
map id is a state-wise synthesis abstraction from G to H.
A proof that transition removal preserves state-wise synthesis abstraction is given in [18].
13
A B C A ‖B S
a0
a1
β !λ
γ
γ b0
b1 b2!λ
!λ
α!υ
γ
γ
c2 c3 c4
c1c0
α α!η
!η
!υ
p0
p1
p2
p3
⊥ β
β
!λ !λ
α
α
!υ
!υ
γ
γ
γ γ
q0
q1
q2
q3
q4
q5
q6 q7
q8⊥
β
β
β
!λ
!λ !λ
α
α
!υ
!υ
γ
γ
γ
Figure 2: Example of compositional synthesis.
S : µ5
A˜B ‖ C˜ : µ4
A˜B : µ3
A ‖B : µ2
A B
C˜ : µ1
C µ2 a0b0 a1b0 a0b1 a1b1
p0 p1 p2 p3
µ1 c0 c1 c2 c3 c4
c′0 c
′
0 c
′
1 c
′
2 c
′
3
µ3 p0 p1 p2 p3
p0 p1 p2 ⊥
µ4 p0c
′
0 p1c
′
0 p2c
′
0 p0c
′
1 p1c
′
1
q0 q1 q2 q3 q4
p2c
′
1 p0c
′
2 p2c
′
2 p1c
′
2
q5 q6 q7 q8
µ5 q0 q1 q2 q3 q4 q5 q6 q7 q8
q0 q1 q2 q3 q4 q5 ⊥ ⊥ ⊥
Figure 3: Supervisor maps for Figure 2.
4.5 Synchronous Composition
If no abstraction is possible, then compositional synthesis needs to compose some automata. It
is always possible to compose two automata in the set of uncontrolled plants without affecting
the synthesis result. This basic method is included here for the sake of completeness. It does
not contribute to simplification on its own, but usually the result of composition can be
simplified again afterwards.
Proposition 7 Let (G;µ) be a synthesis pair for G0 with G = {G1, . . . , Gn}, let H =
{G1‖G2, G3, . . . , Gn}, and let µ12 : QG → QH such that µ12(y1, . . . , yn) = ((y1, y2), y3, . . . , yn).
Then (G;µ) ≃synth (H;µ12 ◦ µ).
4.6 Worked Example
This section gives an example of the complete process of compositional synthesis using the
above propositions. Consider system G0 = {A,B,C} shown in Figure 2. Events α, β, and γ
are controllable, and !η, !λ and !υ are uncontrollable. Compositional synthesis starts from
14
the initial synthesis pair:
({A,B,C}; id) (17)
From here, the algorithm first hides event !η from automaton C, as it is a local event, and
simplifies C to the nondeterministic automaton C˜ as explained in Example 3. The states of C
are linked to the states of C˜ by the state-wise synthesis abstraction map µ1 shown in Figure 3.
This map is extended to a map µ˜1 that links states of A ‖ B ‖ C to states of A ‖ B ‖ C˜, as
defined in Proposition 3. By Propositions 3 and 5, the initial synthesis pair (17) is synthesis
equivalent to the following pair:
({A,B, C˜}; µ˜1) (18)
Next, automata A and B are composed as shown in Figure 2, and map µ2, shown in Figure 3,
is constructed to map the states of A and B to the states of A‖B. Its extension µ˜2 according
to Proposition 7 leads to the next synthesis equivalent pair:
({A ‖B, C˜}; µ˜2 ◦ µ˜1) (19)
After the composition of A and B, the controllable events α and γ and the uncontrollable
event !λ become local and can be hidden, resulting in automaton (A ‖B) \! {γ, α, !λ}, shown
as G in Figure 1. Automaton G is abstracted to automaton H in Figure 1 by removing
certainly unsupervisable states and by synthesis transition removal as explained in Examples
1 and 4. This results in the abstracted automaton A˜B = H and a state-wise synthesis
abstraction map µ3 that maps state p3 of A ‖ B to ⊥. By Propositions 3, 4, and 6, its
extension µ˜3 gives the next synthesis equivalent pair:
({A˜B , C˜}; µ˜3 ◦ µ˜2 ◦ µ˜1) (20)
The next step of compositional synthesis is to compose A˜B and C˜, resulting in the automa-
ton S in Figure 2, map µ4 in Figure 3, and the final synthesis equivalent pair:
({A˜B ‖ C˜};µ4 ◦ µ˜3 ◦ µ˜2 ◦ µ˜1) (21)
Finally, a supervisor is calculated for S = A˜B ‖ C˜. This supervisor is obtained by removing
the crossed out states from S in Figure 2, and it is presented as a final map µ5 in Figure 3,
which maps these removed states to ⊥. As (17) and (21) are synthesis equivalent pairs, this
final supervisor results in the same least restrictive behaviour as a supervisor synthesised
monolithically for the original system G0.
5 State Representation Architecture
When compositional synthesis completes, a supervisor can be implemented using the con-
structed maps. At each step of compositional synthesis, a state-wise synthesis abstraction
15
Supervisor S
Plant G
Executed event
σ ∈ Σ
Control decision
Γ ⊆ Σc
Update state
x := δ(x, σ)
Compute control decision
Γ := { γ ∈ Σc | µ(δ(x, γ)) 6= ⊥}
Current state x
Transition function δ Cascaded map µ
Figure 4: Control architecture.
map is constructed that relates the states of the abstracted system to the states in the previ-
ous step. This correspondence is propagated in such a way that the combination of all maps
represents all the states that are reached under a least restrictive controllable and nonblocking
supervisor.
The supervisor interacts with the plant following the control architecture in Figure 4.
Initially, the supervisor assumes the initial state of the plant model as its current state x,
and based on that issues an initial control decision Γ ⊆ Σc, containing the set of controllable
events to be enabled. When the plant executes the next event σ ∈ Σ, the supervisor first
updates its state x using the transition function δ : Q×Σ→ Q. This deterministic version of
the transition relation → exists, as it is based on the original plant model before abstraction,
which is deterministic. Then the new control decision is calculated by finding, for each
controllable event γ ∈ Σc the successor state y = δ(x, γ) and, if it is defined, checking the
supervisor map to see whether it is a safe state. If the successor state y is defined and not
mapped to the unsafe state ⊥, then the controllable event γ is enabled by including it in the
control decision Γ, otherwise it is disabled.
To show how the supervisor map works in detail, consider again the example in Figure 2
with maps in Figure 3. Assume the system G0 = {A,B,C} is in the global state a0b1c0.
Inspection of the automata model shows that events α, β, and !η are enabled in this state.
Event α would lead the system to a0b0c2. To look up this state, first the state pair a0b0 is
combined to p0 according to map µ2, and p0 is mapped to p0 by map µ3. Moreover, state c2
is mapped to c′1 by map µ1. Next, the combination p0c
′
1 is mapped to q3 by µ4, which the
16
µ45
µ23
A B
µ1
C
µ23 a0b0 a1b0 a0b1
p0 p1 p2
µ1 c0 c1 c2 c3 c4
c′0 c
′
0 c
′
1 c
′
2 c
′
3
µ45 p0c
′
0 p1c
′
0 p2c
′
0 p0c
′
1 p1c
′
1 p2c
′
1
q0 q1 q2 q3 q4 q5
Figure 5: Compacted supervisor maps for Figure 2.
final map µ5 maps to q3. Thus the system state a0b0c2 has an image in the final map, so
a0b0c2 is a safe state and α should be enabled. On the other hand, event β would lead the
system to a1b1c0. The state pair a1b1 is mapped to p3 by µ2, which is mapped to ⊥ by µ3. At
this point, it becomes obvious that a1b1c0 is a bad state. Therefore the supervisor disables β.
This results in the control decision Γ = {α}, which means to enable α and disable β. Event !η
is uncontrollable and cannot be disabled by the supervisor. This event leads to state a0b1c1,
which is mapped to q2. This confirms that the supervisor is controllable.
The cascaded map representing the final supervisor can be further simplified by composing
each synchronisation map and the abstraction map following it. For example, the composition
of the synchronisation map µ2 and the abstraction map µ3 in Figure 3, is done by feeding
the output of µ2 directly into µ3. This results in replacing µ2 and µ3 with µ23 = µ3 ◦ µ2, and
likewise µ4 and µ5 can be replaced with µ45 = µ5 ◦ µ4. Moreover, the blocking state ⊥ can
be removed from all maps, if the absence of an entry for a given state is interpreted as that
state being unsafe. The simplified maps are shown in Figure 5.
Complexity. The space complexity of the state representation supervisor is determined
by the number of maps and their size. At the beginning of compositional synthesis, each
automaton can be abstracted once, and afterwards there can be an abstraction step each
time after automata have been composed. If there are n automata in the model, this gives
n abstraction steps initially, plus n − 1 abstraction steps after synchronous composition, as
the number of components decreases by at least one after each synchronous composition.
In the worst-case, each abstraction step results in one supervisor map, giving up to 2n − 1
maps in total. The size of these maps is determined by the number of states of the automata
encountered in each step. If the largest automaton has |Q| states, the worst-case space
complexity to store the supervisor maps is O((2n − 1)|Q|) = O(n|Q|). Thus, the worst-
case memory usage to store the state representation supervisor is linear in the number of
components and in the number of states.
17
6 Automata-based Supervisor
Previous work [21] follows a similar compositional approach as described above to produce
a supervisor in the form of automata instead of maps. The supervisor automata interact in
synchronous composition with the system to track its states, and the supervisor disables any
controllable events that are disabled by the supervisor automata. For this approach to work,
care must be taken to ensure that the supervisor automata can be implemented.
In the example in Figure 2, two supervisor components are needed to disable the con-
trollable transitions p2
β
→ p3 in A ‖B after removing the certainly unsupervisable states and
q2
α
→ q6 is S. However, the automaton S cannot be implemented as a supervisor because of
the nondeterminism in state q2, where it is not clear whether event α should be enabled or
disabled. In [21], renaming is used to avoid nondeterminism after abstraction, and event α is
replaced by two new events α1 and α2. The decision which of these events is enabled is made
by a so-called distinguisher, which is derived from automaton C. This gives the supervisor
automata shown in Figure 6, where RC is the distinguisher, and A˜B and RS are the renamed
supervisor components.
Another issue arises when S, shown in Figure 2, is used as a supervisor automaton as it
does not include the removed transition q1
γ
→ q0. Then the supervisor disables the controllable
event γ in the global state a1b1c0 and thus is not a least restrictive supervisor. Therefore,
in [21] transition removal is not used as an abstraction method, so this transition is present
in RS . Transition removal is used in [20], where a so-called redirection map is proposed,
which maps the removed transition to the alternative path. Yet, the redirection map cannot
be represented in the form of automata, and it is not straightforward to combine redirection
maps with other abstraction methods or with renaming.
Complexity. The space complexity of the supervisor automata is determined by the num-
ber of automata and their number of transitions. To calculate the supervisor automata, the
same abstraction steps as in the state representation approach are applied, which in the worst
case can be 2n − 1 steps. However, as the modular supervisor automata consist of distin-
guishers and supervisor components obtained after unsupervisability removal, two supervisor
components may be produced at each step. This results in 2(2n − 1) = 4n − 2 supervisor
components in total. The space complexity to store each automaton is determined by its
number of transitions. A deterministic automaton with |Q| states and |Σ| events has up to
|Q||Σ| transitions. Then the worst-case space complexity to store the supervisor components
is O((4n− 2)|Q||Σ|) = O(n|Q||Σ|), where |Q| is the number of states of the largest automa-
ton, and |Σ| is the largest number of events after renaming. As in the case of the state
representation-based supervisor, memory usage grows linearly in the number of automata
and their states, however it also grows linearly in the number of events after renaming. In
the worst case, there may be exponentially more events after renaming than before, although
this case seems to be rare in practice.
18
RC A˜B RS
α1 α2
!η
!η
!υ
⊥
β
!λ
α1
α2
!υ
!υ
γ
γγ
q0
q1
q2
q3
q4
q5
β
β
!λ
!λ
α1
γ
γ
γ
γ
Figure 6: Automata-based supervisor.
State representation-based supervisors can solve the above problems of nondeterminism
and not being least restrictive after transition removal, because all control decisions are based
on the target states of the transitions in the original plant model G0. In addition, state
representation-based supervisors in the worst-case are much smaller than automata-based
supervisors.
7 Experimental Results
The state representation and automata-based compositional synthesis algorithms are imple-
mented in the discrete event systems tool Supremica [1], and both implementations have been
used to compute supervisors for several large discrete event system models. The test cases
include complex industrial models and case studies from different application areas such as
manufacturing systems and automotive body electronics, most of which have also been used
as benchmarks in [21]. The following list gives an overview:
agv Automated guided vehicle coordination based on a Petri net model [23]. To make the
example blocking in addition to uncontrollable, there is also a variant, agvb, with an
additional zone at the input station.
aip Automated manufacturing system of the Atelier Inter-e´tablissement de Productique [3].
fencaiwon09 Model of a production cell in a metal-processing plant [6].
fms2003 Large-scale flexible manufacturing system according to [34].
psl An assembly cell for toy cars, which are built up from seven parts [24]. psl-big is the
basic model, psl-restart has additional transitions for restart, and psl-partleft has
counters for extra parts.
tbed Model of a toy railroad system based on [13]. Three versions present different control
objectives.
19
verriegel Models of the central locking system of a BMW car. There are two variants, a
three-door model verriegel3, and a four-door model verriegel4. These models are
derived from the KorSys project [26].
6link Models of a cluster tool for wafer processing previously studied for synthesis in [28].
The performance of the compositional algorithms is sensitive to the order in which au-
tomata are composed and simplified. The implementations underlying this working paper
are based on a two-step selection procedure [8]. The first step computes a set of candidates,
i.e., groups of automata to be considered for composition, and the second step selects a most
promising candidate. The following heuristics [8, 31] are considered for the first step:
MustL considers for every event σ in the model the set of automata using this event σ as a
possible candidate. This ensures that there is at least one local event, namely σ, after
composition. As most of the abstractions depend on hiding of local events, this heuristic
increases the possibility of abstraction.
Pairs considers as candidates all pairs of two automata that have at least one common event.
This approach seeks to compose the system in small steps, only two automata at a time.
MinT considers as candidates all automata pairs containing the automaton with the fewest
transitions. This heuristic tries to keep the intermediate results small.
MaxS considers as candidates all automata pairs containing the automaton with the most
states. This typically results in all automata being composed together in a growing
subsystem in a way similar to [28].
The second step of candidate selection attempts to identify the best candidate among the
set of candidates from the first step. Again, a variety of alternatives [8, 31] are considered:
MaxL chooses the candidate with the highest proportion of local events. This heuristic
attempts to increase the possibility of hiding and abstraction.
MinE chooses the candidate with the minimum number of events. This increases the possi-
bility of observation-equivalence based abstraction.
MaxC chooses the candidate with the highest proportion of common events. This results in
a smaller synchronous composition.
MinS chooses the candidate with the smallest estimated number of states after abstraction.
The estimate is obtained by multiplying the product of the state numbers of the auto-
mata forming the candidate with the ratio of the number of events the candidate shares
with other automata over the total number of events of the candidate.
20
Table 1: Experimental results.
Model Automata State Representation
Name Cont Nonb Size Time Memory Heuristic Time Memory Heuristic
agv false true 2.6 · 107 0.17 s 19729 Pairs/MaxL 0.11 s 5585 MustL/MaxC
agvb false false 2.3 · 107 0.30 s 27610 MaxS/MaxC 0.09 s 4305 MustL/MaxC
aip0alps true false 3.0 · 108 0.04 s 360 Pairs/MinE 14.52 s 209 MustL/MaxC
fencaiwon09b true false 8.9 · 107 0.05 s 5097 MustL/MinE 0.05 s 4185 MinT/MaxC
fencaiwon09s false false 2.9 · 108 0.06 s 9626 MustL/MinSync 0.03 s 3615 MustL/MinE
fms2003 true false 1.7 · 107 26.10 s 265556 MinT/MinF 23.31 s 78675 MinT/MinE
psl big true false 3.9 · 107 0.05 s 1997 MustL/MinS 0.07 s 1721 Pairs/MaxC
psl restart true false 3.9 · 107 0.26 s 74240 MustL/MinE 31.19 s 37562 MustL/MaxC
psl partleft true true 7.7 · 107 42.07 s 603805 Pairs/MaxC 2.12 s 111313 Pairs/MinF
tbed hisc1 true false 2.9 · 1017 3.90 s 68431 Pairs/MinF 3.17 s 112361 Pairs/MinF
tbed noderailb true false 3.2 · 1012 9.08 s 498 MaxS/MinS 4.54 s 1658 MinT/MinS
tbed uncont false true 3.6 · 1012 9.06 s 131469 MaxS/MinS 3.48 s 132644 MustL/MinSync
verriegel3b true false 1.3 · 109 0.42 s 34 MustL/MinSync 0.33 s 42 MustL/MinSync
verriegel4b true false 6.2 · 1010 0.63 s 34 MustL/MinSync 3.99 s 42 MinT/MinF
6linka true false 2.4 · 1014 0.53 s 66016 MinT/MinE 0.41 s 9045 Pairs/MaxC
6linki true false 2.7 · 1014 0.26 s 98280 MinT/MaxC 0.13 s 13002 MinT/MinE
6linkp true false 4.2 · 1014 0.55 s 91785 MinT/MaxL 0.41 s 8776 Pairs/MaxC
6linkre true false 6.2 · 1014 0.11 s 7153 Pairs/MinSync 0.10 s 2027 Pairs/MinSync
MinSync computes the synchronous composition of the automata in each candidate and
chooses the candidate with the fewest states in the synchronous composition.
MinF chooses the candidate with the smallest number of other automata linked via events to
the candidate’s automata. This heuristic attempts to minimise event sharing between
the candidate and the rest of the system.
In addition to the candidate selection strategy, the algorithms are controlled by state
and transition limits. If the synchronous composition of a candidate exceeds 5,000 states or
1,000,000 transitions, that candidate is discarded and another is chosen instead.
Compositional synthesis has been attempted for all test cases, using both the state
representation-based and automata-based algorithms, with all combinations of the candi-
date selection heuristics above. The results are shown in Table 1. For each test case, the
table shows whether the model is controllable (Cont) or nonblocking (Nonb), and the number
of reachable states of the uncontrolled system (Size). Next, the table shows for automata-
based and state representation-based compositional synthesis, the total runtime (Time) and
a memory estimate for the supervisor (Memory), in each case using the heuristic combination
that produces the smallest supervisor. Supervisor size is used as the selecting criteria because
21
the memory usage plays an important role when it comes to implementing the supervisor in
memory-limited devices like PLCs.
The memory for automata-based supervisors is estimated based on the numbers of states
and transitions. Each state counts as one unit of memory, and each transition counts as two
units of memory, estimating the amount of memory to form transition lists indexed by source
states. For example, the supervisor automaton RS in Figure 6 has 6 states and 9 transitions,
so its memory estimate is 24 units. All the supervisor automata in Figure 6 are estimated to
use 59 units of memory together.
The memory for state representation-based supervisors is estimated based on the size of
the maps. In Figure 5, there are two types of maps. Map µ1 results from the abstraction
of a single automaton, while maps µ23 and µ45 result from the synchronous composition of
two automata. The abstraction map µ1 can simply be stored as an array, mapping each of
the five states of automaton C to a state in its abstraction C˜. The array contains only the
sequence of states c′0, c
′
0, c
′
1, c
′
2, c
′
3 of C˜, which are associated to the states ci of C by their
index i. This works because abstraction maps cover all states of the original automaton.
Differently, synchronous composition maps only cover the reachable states of the synchronous
composition. They are better stored as associative maps. A memory-efficient representation
of map µ23 is the ordered sequence 〈a0, b0, p0, a1, b0, p1, a0, b1, p2〉. The abstracted state p0 for
the original state a0b0, e.g., can be found using binary search [32]. Based on this, the array
for map µ1 stores 5 state names and uses 5 units of memory, while the associative maps for
µ23 and µ45 use 9 and 18 units of memory respectively. This gives a total memory estimate
of 32 units for all the supervisor maps in Figure 5, which is 27 units less compared to the
automata-based approach.
All experiments have been run on a standard desktop PC using a single 3.3GHz micro-
processor and not more than 2GB of RAM. Table 1 shows that both compositional synthesis
algorithms successfully compute supervisors for all test cases in a few seconds or minutes.
In most cases, the supervisor maps use less memory than automata-based supervisors as
expected. Yet, there are few cases such as tbed hisc1 and tbed noderailb where the
automata-based supervisors use less memory. In these cases, closer analysis shows that the
automata-based supervisor consists of only a few small automata resulting from unsuper-
visability removal, which have been abstracted substantially in the preceding steps, whereas
the state representation-based supervisor includes maps from all intermediate steps, some of
which are large.
The experiments also show that the runtimes and supervisor sizes are highly sensitive to
the heuristics used. Every heuristic considered shows for at least one best result in Table 1.
Fortunately, synthesis often completes in a matter of seconds, enabling the user to attempt
several different heuristics or algorithms and choose the best result.
To examine the effect of transition removal, Figure 7 shows the total number of transitions
encountered by the two algorithms with two fixed heuristic combinations. These results
suggest that state representation-based synthesis, which supports transition removal, produces
22
M
u
stL
/
M
in
S
6linka
6linki
6linkp
6linkre
agv
agvb
aip0alps
fencaiwon09b
fencaiwon09s
fms2003
psl big
Out of memorypsl restart
psl partleft
tbed hisc1
tbed noderailb
tbed uncont
verriegel3b
verriegel4b
0
.5
1
.0
×
1
0
6
M
u
stL
/
M
a
x
C
6linka
6linki
6linkp
6linkre
agv
agvb
aip0alps
fencaiwon09b
fencaiwon09s
fms2003
psl big
psl restart
psl partleft
tbed hisc1
tbed noderailb
tbed uncont
verriegel3b
verriegel4b
0
.5
1
.0
1
.5
2
.0
×
1
0
6
F
igu
re
7:
N
u
m
b
er
of
tran
sition
s
in
au
tom
ata-b
ased
sy
n
th
esis
(ligh
t)
v
s.
state
rep
resen
tation
-
b
ased
sy
n
th
esis
(d
ark
).
23
significantly less transitions in general. Transition removal can even affect the success of the
compositional approach. For example, the automata-based compositional algorithm fails to
calculate a supervisor for psl restart with the MustL/MinS heuristic combination. Yet,
there are cases where state representation-based synthesis encounters more transitions, for
example with the agv models under the MustL/MaxC heuristic combination. This can be
explained by the fact that the MaxC heuristic is dependent on the number of events, which
changes after renaming and in these cases seems to lead to poor decisions.
8 Conclusions
The working paper proposes a general framework for compositional synthesis of least re-
strictive, controllable, and nonblocking supervisors of large discrete event system models.
The framework supports compositional reasoning using state merging, state removal, and
transition removal abstractions that are guaranteed to preserve synthesis results. The final
supervisor is a set of cascaded maps that represents the set of safe states. The algorithm
has been implemented and its performance compared with the well-developed compositional
synthesis algorithm [21] that returns a set of supervisor automata. The space complexity
analysis and the experimental results suggest that supervisor maps in many cases require less
memory than supervisor automata.
In future work, the authors would like to extend the approach and investigate the com-
positional synthesis of supervisors for finite-state machines augmented with bounded discrete
variables.
References
[1] A˚kesson, K., Fabian, M., Flordal, H., Malik, R.: Supremica—an integrated environment
for verification, synthesis and simulation of discrete event systems. In: Proceedings of
the 8th International Workshop on Discrete Event Systems, WODES’06, pp. 384–385.
IEEE (2006)
[2] A˚kesson, K., Flordal, H., Fabian, M.: Exploiting modularity for synthesis and verification
of supervisors. In: Proceedings of the 15th IFAC World Congress on Automatic Control
(2002)
[3] Brandin, B., Charbonnier, F.: The supervisory control of the automated manufacturing
system of the AIP. In: Proceedings of Rensselaer’s 4th International Conference on
Computer Integrated Manufacturing and Automation Technology, pp. 319–324. IEEE
Computer Society Press (1994)
24
[4] Brandin, B.A., Malik, R., Malik, P.: Incremental verification and synthesis of discrete-
event systems guided by counter-examples. IEEE Transactions on Control Systems Tech-
nology 12(3), 387–401 (2004). DOI 10.1109/TCST.2004.824795
[5] Bryant, R.E.: Symbolic Boolean manipulation with ordered binary-decision diagrams.
ACM Computing Surveys 24(3), 293–318 (1992). DOI 10.1145/136035.136043
[6] Feng, L., Cai, K., Wonham, W.M.: A structural approach to the non-blocking supervi-
sory control of discrete-event systems. International Journal of Advanced Manufacturing
Technology 41, 1152–1168 (2009). DOI 10.1007/s00170-008-1555-9
[7] Feng, L., Wonham, W.M.: Supervisory control architecture for discrete-event systems.
IEEE Transactions on Automatic Control 53(6), 1449–1461 (2008). DOI 10.1109/TAC.
2008.927679
[8] Flordal, H., Malik, R.: Compositional verification in supervisory control. SIAM Journal
of Control and Optimization 48(3), 1914–1938 (2009). DOI 10.1137/070695526
[9] Flordal, H., Malik, R., Fabian, M., A˚kesson, K.: Compositional synthesis of maximally
permissive supervisors using supervision equivalence. Discrete Event Dynamic Systems:
Theory and Applications 17(4), 475–504 (2007). DOI 10.1007/s10626-007-0018-z
[10] Graf, S., Steffen, B.: Compositional minimization of finite state systems. In: Proceedings
of the 1990 Workshop on Computer-Aided Verification, LNCS, vol. 531, pp. 186–196.
Springer (1990). DOI 10.1007/BFb0023732
[11] Harel, D.: Statecharts: a visual formalism for complex systems. Science of Computer
Programming 8(3), 231–274 (1987). DOI 10.1016/0167-6423(87)90035-9
[12] Hoare, C.A.R.: Communicating Sequential Processes. Prentice-Hall (1985)
[13] Leduc, R.J.: PLC implementation of a DES supervisor for a manufacturing testbed:
An implementation perspective. Master’s thesis, Department of Electrical Engineering,
University of Toronto, ON, Canada (1996). URL http://www.cas.mcmaster.ca/~leduc
[14] Luo, J., Nonami, K.: Approach for transforming linear constraints on Petri nets. IEEE
Transactions on Automatic Control 56(12), 2751–2765 (2011). DOI 10.1109/TAC.2011.
2128590
[15] Malik, R., Flordal, H.: Yet another approach to compositional synthesis of discrete event
systems. In: Proceedings of the 9th International Workshop on Discrete Event Systems,
WODES’08, pp. 16–21. IEEE (2008). DOI 10.1109/WODES.2008.4605916
25
[16] Malik, R., Streader, D., Reeves, S.: Conflicts and fair testing. International Jour-
nal of Foundations of Computer Science 17(4), 797–813 (2006). DOI 10.1142/
S012905410600411X
[17] Miremadi, S., A˚kesson, K., Lennartson, B.: Symbolic computation of reduced guards in
supervisory control. IEEE Transactions on Automation Science and Engineering 8(4),
754–764 (2011). DOI 10.1109/TASE.2011.2146249
[18] Mohajerani, S., Malik, R., Fabian, M.: Five abstraction rules to remove transitions
while preserving compositional synthesis results. Working Paper 01/2012, Department
of Computer Science, University of Waikato, Hamilton, New Zealand (2012). URL http:
//hdl.handle.net/10289/6259
[19] Mohajerani, S., Malik, R., Fabian, M.: Synthesis equivalence of triples. Working Pa-
per 04/2012, Department of Computer Science, University of Waikato, Hamilton, New
Zealand (2012). URL http://hdl.handle.net/10289/7162
[20] Mohajerani, S., Malik, R., Fabian, M.: Transition removal for compositional supervisor
synthesis. In: Proceedings of the 8th International Conference on Automation Science
and Engineering, CASE2012, pp. 690–695 (2012). DOI 10.1109/CoASE.2012.6386447
[21] Mohajerani, S., Malik, R., Fabian, M.: A framework for compositional synthesis of
modular nonblocking supervisors. IEEE Transactions on Automatic Control 59(1), 150–
162 (2014). DOI 10.1109/TAC.2013.2283109
[22] Mohajerani, S., Malik, R., Ware, S., Fabian, M.: On the use of observation equivalence in
synthesis abstraction. In: Proceedings of the 3rd IFAC Workshop on Dependable Control
of Discrete Systems, DCDS2011, pp. 84–89 (2011). DOI 10.1109/DCDS.2011.5970323
[23] Moody, J.O., Antsaklis, P.J.: Supervisory Control of Discrete Event Systems Using Petri
Nets. Kluwer Academic Publishers (1998)
[24] Parsaeian, S.: Implementation of a framework for restart after unforeseen errors in manu-
facturing systems. Master’s thesis, Chalmers University of Technology, Go¨teborg, Sweden
(2014)
[25] Ramadge, P.J.G., Wonham, W.M.: The control of discrete event systems. Proceedings
of the IEEE 77(1), 81–98 (1989). DOI 10.1109/5.21072
[26] KorSys Project: URL http://www4.in.tum.de/proj/korsys/
[27] Schmidt, K., Breindl, C.: Maximally permissive hierarchical control of decentralized
discrete event systems. IEEE Transactions on Automatic Control 56(4), 723–737 (2011).
DOI 10.1109/TAC.2010.2067250
26
[28] Su, R., van Schuppen, J.H., Rooda, J.E.: Aggregative synthesis of distributed supervisors
based on automaton abstraction. IEEE Transactions on Automatic Control 55(7), 1267–
1640 (2010). DOI 10.1109/TAC.2010.2042342
[29] Tarski, A.: A lattice-theoretical fixpoint theorem and its applications. Pacific Journal of
Mathematics 5(2), 285–309 (1955)
[30] Vahidi, A.: Efficient analysis of discrete event systems—supervisor synthesis with binary
decision diagrams. Ph.D. thesis, Chalmers University of Technology, Go¨teborg, Sweden
(2004)
[31] Ware, S., Malik, R., Mohajerani, S., Fabian, M.: Certainly unsupervisable states. In:
Proceedings of the 2nd International Workshop on Formal Techniques for Safety-Critical
Systems, FTSCS 2013, pp. 3–18 (2013)
[32] Wirth, N.: Algorithms and Data Structures. Prentice-Hall (1986)
[33] Wong, K.C., Wonham, W.M.: Modular control and coordination of discrete-event sys-
tems. Discrete Event Dynamic Systems: Theory and Applications 8(3), 247–297 (1998).
DOI 10.1023/A:1008210519960
[34] Zhou, M.C., Dicesare, F., Rudolph, D.L.: Design and implementation of a Petri net
based supervisor for a flexible manufacturing system. Automatica 28, 1199–1208 (1992).
DOI 10.1016/0005-1098(92)90061-J
27
