A Discrete Event Systems Approach for Protocol Conversion by Kumar, Ratnesh et al.
SI R
INSTITUTE FOR SYSTEMS RESEARCH
Sponsored by
the National Science Foundation
Engineering Research Center Program,




A Discrete Event Systems Approach for Protocol
Conversion
by R. Kumar, S. Nelvagal, S.I. Marcus
T.R. 97-3








Department of Electrical Engineering and
Institute of Systems Research
University of Maryland at College Park
College Park, MD 20742
Abstract
A protocol mismatch occurs when heterogeneous networks try to communicate
with each other. Such mismatches are inevitable due to the proliferation of a multi-
tude of networking architectures, hardware, and software on one hand, and the need
for global connectivity on the other hand. In order to circumvent this problem the
solution of protocol conversion has been proposed. In this paper we present a system-
atic approach to protocol conversion using the theory of supervisory control of discrete
event systems, which was partially rst addressed by Inan. We study the problem of
designing a converter for a given mismatched pair of protocols, using their specica-
tions, and the specications for the channel and the user services. We introduce the
notion of converter languages and use it to obtain a necessary and sucient condition
for the existence of protocol converter and present an eective algorithm for computing
it whenever it exists.
Keywords: Protocol conversion, discrete event systems, supervisory control, control-
lability, observability, normality, safety, progress, synchronous composition.
This research was supported in part by the Center for Robotics and Manufacturing Systems, University




There is a growing need for global communication over networks of computers. However,
the heterogeneity of existing networks does not allow direct and consistent communication
and results in mismatch of protocols. Such mismatches are inevitable due to the proliferation
of diering hardware, software and networking standards, and the desired urgency towards
global connectivity. While a possible solution to such diering standards or protocol mis-
matches would be to standardize networking protocols, such a move may not be practical,
and in any case will take years to be agreed upon worldwide, resulting in connectivity prob-
lems for the present. As a result, the alternative method of protocol conversion has been
proposed. These alternative measures of developing protocol converters will be the only form
of solution available until such time when everybody adheres to a global standard.
Green [21] argues that protocol conversion is a necessity that cannot be ignored citing
reasons that it is a little too late to standardize architectures. An established base of DECnet,
ARPAnet, IBM SNA, TCP/IP and X.25 users will nd it dicult to switch to an open and
global standard simply because of the sheer eort involved, as well as rendering obsolete
many existing hardware and software solutions by numerous vendors. Dierent protocols
and architectures also tend to serve dierent communities of users, with the need to maintain
contact with the external world still being of great importance.
In Figure 1 protocol P consists of the sending end protocol P0 and the receiving end
protocol P1. Similarly, the protocol Q is composed of Q0 and Q1. A protocol mismatch
occurs when the sending end protocol P0 of P tries to communicate with the receiving end















  Q  P
Protocol mismatch Protocol mismatch
Figure 1: Protocol conguration
A practical solution to such a protocol mismatch is to interpose a translator or a converter
between the two protocols so that it traps all messages being sent from one system to the
other and translates the messages of the sender system in such a manner that the receiver
system can understand them without loss in consistency. This is depicted in Figure 2, where
P0 denotes one of the protocols, Q1 the other of the mismatched protocols, and C denotes
the converter. The resulting protocol conversion system has to adhere to the user service




Figure 2: Interposing a protocol converter
Tanenbaum [28] provides a classication for such converters depending on the layer of the
protocol stack at which they are used. Repeaters are used at the physical layer; bridges are
used at the link layer; routers or gateways are used at the network layer; and nally protocol
converters are used at the transport layer.
The events that occur at the user interface are called the external events; the remaining
events are called the internal events. Let G denote the composition of P0 and Q1, and K
denote the user service specication. Then G is a system that evolves over external as well as
internal events, whereas K is a formal language dened only over the external events. The
composition of G with a converter C, denoted GkC, implements the service specication
K if certain safety and progress properties hold. Safety captures the notion that nothing
illegal should happen, i.e., the event traces of GkC should correspond to those allowed by
K. Progress captures the notion that the composition should not block the occurrence of an
external event whenever it is feasible in the specication K, i.e., whenever the specication
does not \block" it.
The role of the converter C is to restrict the behavior of G so that GkC implements K.
However, it must do so under its limited control and observation capabilities. In other words,
certain events are controllable|their enablement/disablement can be controlled by C (the
remaining are uncontrollable); similarly, certain events are observable|their occurrence can
be sensed by C (the remaining are unobservable). Thus the design of protocol converters
can be studied in the framework of supervisory control of discrete event systems pioneered
by Ramadge and Wonham [23] and subsequently extended by other researchers (refer to the
survey articles [24, 29], and the book [12]). This is the motivation for the work presented
here.
The problem of protocol conversion has been studied by some researchers and the paper
by Calvert and Lam [2] provides a nice survey. One of the rst approaches to protocol
conversion is the bottom-up approach taken by Okumura [20] and by Lam [17]. The bottom-
up approaches are heuristic in nature and may not be able to determine a converter even
when one exists. The top-down approach of Calvert and Lam [2] is algorithmic in nature.
However, the converter they design is a state machine that evolves over the set of internal
events, which implies that the set of internal events is treated as the set of controllable as
well as the set of observable events for the converter. This is unrealistic, since the converter
can observe only those events that occur at its interface, i.e., its \input" and \output"
events, and it can control only its output events. So in general these event sets are dierent.
This is further illustrated in the example below. The top-down approach or the algorithmic
3
approach is also known as the quotient approach since C can be viewed as the \quotient of
G and K".
The protocol conversion problem was rst treated by Inan in the supervisory control
framework as an important application example in [8], in further depth in [9], and the the-
oretical foundation on which this application is based was given in [10]. However, these
work of Inan only address the safety constraint of the protocol conversion problem which
requires that the projected language of the supervised system should equal the given spec-
ication language. The additional progress constraint, which requires that the supervised
system never block an external event that is not blocked by the specication itself, was also
considered as part of the protocol conversion problem in the work of Calvert-Lam [2]. We
treat both the safety and progress constraints in the work presented here. The existence of
converter requires controllability and observability conditions together with extra safety and
progress conditions implying that the work presented here also requires the generalization of
the conventional supervisory control. Rudie-Wonham [25] have also applied the supervisory
control techniques for deriving a missing portion (either sender or receiver portion) of the
protocol assuming some knowledge of it. This problem is quite similar to that of protocol
conversion but again considers safety specication only.
In a recent work, Kumar-Fabian [11] show that the progress constraint may be expressed
using a type of nonblocking property with respect to a family of marked languages|one for
each external event. This nonblocking property diers from the conventional one used in
supervisory control [3] in two ways: rst, nonblocking with respect to a family of markings
(as opposed to a single marking) is needed, and second, each type of marking depends, in
a very specic manner, on the entire closed-loop behavior (as opposed to being just those
traces of the closed-loop behavior that are marked in the open-loop behavior).
In this paper we derive a converter using the formal techniques from supervisory control of
discrete event systems. The supervisory control framework provides necessary and sucient
conditions for the existence of supervisors (in the present setting converters) for a given plant
(in the present setting composition of the two mismatched protocols) so that the closed-loop
system (in the present setting composition of converter and the mismatched protocols) meets
a desired specication (in the present setting the user service specication). However, since
the user service specication is a partial specication, i.e., it is dened only on the subset
consisting of the external events (as opposed to the entire event set which is customary in
the supervisory control framework), the supervisory control theory results cannot be applied
directly, and appropriate extensions have been obtained in the paper.
We introduce the notion of converter languages and show that the existence of a converter
is equivalent to the existence of a converter language contained in the language of G. The
set of converter languages is closed with respect to union. So a supremal converter language
exists, and we provide an eective algorithm for computing it. The test for the existence of a
converter reduces to the test of non-emptiness of the supremal converter language. Moreover,
the generator for the supremal converter language serves as a choice for the converter. No
converter exists if the supremal converter language is empty, in which case the given service
specication may be minimally altered so that a converter exists. This problem has recently
4
been addressed by Takai-Takae-Kodama [27] and Kumar-Fabian [11].
We illustrate our work by the example of two incompatible protocols namely the Alternat-
ing Bit protocol and the Nonsequenced protocol [28]. These two are obviously incompatible
because the alternating bit protocol labels all data packets with sequence numbers 0 or 1,
while the nonsequenced protocol does not work with labeled data packets. Abridged versions
of the work presented here rst appeared in [14, 15].
2 Motivating Example
For the example we assume that the converter is collocated with the receiving end. So, as
shown in Figure 3, the sending end P0 is the composition of the sender protocol Ps and the












Figure 3: A typical protocol conversion system
general Q1 is also a composition of Qr and the receiver's channel. The mismatched protocol
components for the example are the Alternating Bit protocol sender (Ps), Alternating Bit
channel (Pc), and the Nonsequenced protocol receiver (Qr). The state machines for each of
these along with that for the service specication are presented in this section. Thus in this
example G = P0kQ1 = PskPckQr.
The events occurring at various interfaces for the present example are indicated in Fig-
ure 3. The external event set consists of the accept event (acc) and the deliver event (del).
Lower (respectively, upper) case letters are used for internal events occurring at the sender
(respectively, receiver) end. An event label having a negative (respectively, positive) sign
as its prex represents a transmit (respectively, receipt) event of a protocol. However, the
sign convention for the channel is the opposite since a receipt event of the channel is a
transmit event of the adjoining protocol and vice-versa. So the receipt events of the channel
are prexed with negative signs, whereas the transmit events of the channel are prexed
with positive sign. Since the converter is interposed between the channel and the receiver
protocol, this xes the events that occur at the converter interface. Thus, for instance, -di
represents a transmit event of a data packet with label i (where i = 0,1) at the sender
protocol (and a receipt event of the same data packet at the channel), whereas -A represents
a transmit event of an acknowledgment at the receiver protocol (and a receipt event of the
5
same acknowledgment at the converter). Other events include the timeout event (tm) and
the channel loss event (ls).
Thus in the above example the event set  consists of the following:
 = facc; del;+di; di;+ai; ai;+D; A; tm; lsg:
A subset of  consisting of the events
f+di; ai;+D; Ag
occur at the converter interface. These constitute the set of observable events, whereas all
the remaining events are unobservable. Part of the observable events are the output events
for the converter, and their occurrence can be controlled. So the converter output events
constitute the set of controllable events, which are:
f ai;+Dg:
All the other events are uncontrollable to the converter. Note that the set of controllable
events for the converter is contained in the set of its observable events. We exploit this
property when we design the converter. Also, note that the set of controllable events and
the set of observable events are both dierent from the set of internal events. This distinction
is not noted in the work of Calvert and Lam [2].
The Alternating Bit sender depicted in Figure 4 has six states. The initial state is the
state 0, where it is in a position to accept data from the user. The data is transmitted
with label 0. The next data is accepted from the user after an acknowledgment with the
correct label 0 is received. Otherwise, when either the wrong acknowledgment with label
1 is received or the sender times out (due to loss of data or acknowledgment), the data is
retransmitted with label 0. This procedure is repeated after each accept event, except that










Figure 4: Alternating Bit sender
The Alternating Bit channel shown in Figure 5 has six states. The channel initially
receives a data packet (events -di), which it may either lose (event ls) sending it back














Figure 5: Alternating Bit channel
it receives an acknowledgment packet (events -ai). Acknowledgments may either get lost
(event ls) or it may get successfully transmitted (events +ai) sending the channel back to
its initial state in either case.
The Nonsequenced receiver is shown in Figure 6. This is a very simple state machine,
which on receiving a data delivers it to the user and sends an acknowledgment to the sender.
Since no labels are present data packets labeled by the Alternating Bit sender cannot be









Figure 6: Nonsequenced receiver and Service specication
Finally, the protocol system should provide the service of loss free transmission over the
lossy channel which is accomplished by requiring that the accept and deliver events should
alternate. This service specication is depicted in Figure 6. Weaker service specications of
the type \the order of accepted and delivered message sequences be identical" can also be
considered. However, more complex protocols will be needed to oer such a service.
3 Notation and Preliminaries
We use  to denote the universe of events.  denotes the set of all nite length event
sequences, called traces, including the zero length trace, denoted . A subset of , i.e., a
7
collection of traces, is called a language. For a language H, the notation pr(H), called the
prex closure of H, is the set of all prexes of traces in H. H is said to be prex closed if
H = pr(H). Given a trace s 2  and a subset of events ̂  , the projection of s on ̂,
denoted s"̂, is the trace obtained by erasing the events not belonging to ̂ from s.
State machines [7] are used for representing untimed behavior of discrete event systems
(such as protocol and channel systems) as well as for representing qualitative or logical
specications (such as user service specications). Formally, a state machine P is a quadruple
P := (X;; ; x0), where X denotes the set of states,  denotes the nite set of events,
 : X  ( [ fg) ! 2X is the partial transition function, and x0 2 X is the initial state.
A triple (x; ; x0) 2 X  ( [ fg) X is called a transition of P if x0 2 (x; ); it is said
to be an epsilon-transition if  = . For x 2 X and ̂  , the notation <̂(P; x)  X
denotes the set of states reachable by execution of zero or more events in ̂ from state x in
P ; and the notation ̂(P; x)   denotes the set of events in ̂ that are executable at x in
P . The transition function is extended from events to traces  : X  ! X in an obvious
way. The generated language of P is the set of all traces that it can execute starting from
its initial state, i.e.,
L(P ) := fs 2  j (x0; s) 6= ;g:
P is called a deterministic state machine if the transition function is a partial function
of the form:  : X   ! X. The completion of a deterministic state machine P , denoted
P := (X [ fxdg;; ; x0), is the state machine obtained by \completing" the transition
function of P by adding a new state, a \dump" state, xd, and adding transitions from each
state x of P to the dump state on those events that are not dened at x in P . Formally,
8x 2 X [ fxdg;  2  : (x; ) :=
(
(x; ) if (x; ) dened
xd otherwise
Note that L(P ) = .
Synchronous composition [6] of state machines is used to represent concurrent operation
of component systems. Given two deterministic state machines P := (XP ;P ; P ; x0;P ) and
Q := (XQ;Q; Q; x0;Q), composition of P and Q denoted PkQ := (X;; ; x0), is dened





(P (xP ; ); Q(xQ; )) if P (xP ; ); Q(xQ; ) dened;  2 P \ Q
(P (xP ; ); xQ) if P (xP ; ) dened;  2 P  Q
(xP ; Q(xQ; )) if Q(xQ; ) dened;  2 Q  P
undened otherwise
Thus when P and Q are composed, their common events occur synchronously, while the
other events occur asynchronously. The generated language of the composition is given by:
L(PkQ) = fs 2  j s"P 2 L(P ); s"Q 2 L(Q)g:
Note that when P = Q = , then L(PkQ) = L(P ) \ L(Q) since all events must occur
synchronously. Also note that although the state set for PkQ is XP  XQ, many of the
8
states remain unreachable in PkQ. We adopt the convention that by writing PkQ we mean
its reachable or trim component [7].
In supervisory control of discrete events systems, synchronous composition of an uncon-
trolled plant, modeled as a state machine G, and a supervisor, modeled as a state machine
S having an identical event set as the plant, is used as a control mechanism. A certain
sublanguage H  L(G) represents the desired behavior of the plant, and the control ob-
jective is to design a supervisor S such that the controlled plant behavior L(GkS) equals
H. The supervisor to be designed has limited control and observation capabilities in the
sense that (i) it cannot prevent the occurrence of certain uncontrollable events, and (ii) it
can only observe the occurrence of certain observable events. Letting u   denote the set
of uncontrollable events and o   denote the set of observable events, the following result
from supervisory control theory states a necessary and sucient condition for the existence
of such a supervisor:
Theorem 1 [23, 18] Given a plant G, a desired behaviorH  L(G), the set of uncontrollable
events u, and the set of observable events o, there exists a supervisor S (compatible with
control and observation capabilities) such that L(GkS) = H if and only if
Prex closure and Non-emptiness: H = pr(H) 6= ;.
Controllability: pr(H)u \ L(G)  pr(H).
Observability: 8s; t 2 pr(H);  2  : s"o = t"o; s 2 pr(H); t 2 L(G) ) t 2 pr(H).
The controllability condition requires that extension of any prex of H by an uncontrol-
lable event that is feasible in the plant should also be a prex of H. This is because the
occurrence of uncontrollable events cannot be prevented. A pair of traces is called indistin-
guishable if each trace in the pair has identical projection on the set of observable events.
The observability condition requires that extensions of a pair of indistinguishable prexes
of H by a common feasible event should either both or neither be prexes of H. This is
because identical control action must be taken following an indistinguishable pair of traces.
Note that H is controllable (respectively, observable) if and only if pr(H) is controllable
(respectively, observable). Tests for controllability and observability conditions are known
when G has nitely many states and H is a regular language so that it admits a nite state
machine representation. In fact if G has m states and H has a state machine representation
with n states, then controllability can be tested in O(mn) time, whereas the observability
can be tested in O(mn2) time [30, 16]. In case the desired behavior H fails to satisfy any
of the required conditions, a maximally permissive supervisor is designed that achieves a
maximal sublanguage of H satisfying the required conditions. It is known that controlla-
bility is preserved under union so that a unique maximal controllable sublanguage, called
supremal controllable sublanguage of a given language exists [22]; however, observability is
not preserved under union, so maximal observable sublanguages are not unique [18]. Hence
sometimes normal sublanguages instead of observable sublanguages are considered [18]:
Normality: 8s; t 2  : s"o = t"o; s 2 pr(H); t 2 L(G) ) t 2 pr(H):
9
Normality requires that traces of G that are indistinguishable from a prex of H must
themselves be prexes of H. Normality is preserved under union so that the supremal
normal sublanguage of a given language exists [18, 1, 13] and it can be tested in O(mn2)
time [12, p. 103]. Moreover, normality implies observability, and the converese holds in the
presence of controllability when the controllable events are also observable:
Theorem 2 [9, Proposition 4.2] Given G and H  L(G), if    u  o, then H is
controllable and observable if and only if it is controllable and normal.
A similar result also appeared in [12, Theorem 4.3] and in the timed setting in [19, Proposition
4].
4 Existence and Computation of Converter
In this paper we are interested in solving a slightly dierent supervisory control problem,
where the objective is to obtain a supervisor, which we refer to as a converter in this context,
so that the closed-loop system implements a given service specication dened on the subset
of external events.
Denition 1 Given P := (X;; ; x0), a set of external events e   and a service
specication K  e, P implements K if the following hold:
Safety: L(P )"e = pr(K).
Progress: 8s 2 L(P );  2 e : (s"e) 2 pr(K)) 9t 2 (  e) s.t. st 2 L(P ).
Safety requires that each generated trace of P should correspond to a prex of the speci-
cation, i.e., no \illegal" traces should occur in P . Since K is a partial specication (dened
only on the external event set), there may exist more than one trace of P that correspond
to the same prex of K. Progress requires that if an external event is possible after such a
prex of K, then it should also be possible \eventually", i.e., after occurrence of zero or more
internal events following each corresponding trace of P . Note that safety only guarantees
that such an external event is eventually possible following at least one (and not all) of the
corresponding traces of P .
Remark 1 The denition of \implements" given above is equivalent to that given in [2]
but is stated dierently for simplicity. For example the denition of safety given in [2] uses
containment instead of equality. However, containment can be replaced by equality since
the reverse containment follows from progress. Similarly, the denition of progress given in
[2] uses a \state characterization" instead of a \language characterization". This is because
in [2] P is represented as a nondeterministic state machine over only external events by
replacing each transition on an internal event by an epsilon-transition. So a language based
characterization of progress is not possible and a state based characterization is used. In our
case P is a state machine over both external and internal events.
10
In the following theorem we provide a necessary and sucient condition for the existence
of a converter for a given pair of mismatched protocols and a given service specication. We
rst introduce the notion of converter languages. As described above the notation G is used
to denote the composition of the mismatched protocols, and K is used to denote the service
specication.
Denition 2 Given a pair of mismatched protocols G, a service specication K  e, a
set of uncontrollable events u, and a set of observable events o, a language H  L(G) is
called a converter language if the following hold:
Controllability: pr(H)u \ L(G)  pr(H).
Observability: 8s; t 2 pr(H);  2  : s"o = t"o; s 2 pr(H); t 2 L(G) ) t 2 pr(H).
Safety: pr(H)"e = pr(K).
Progress: 8s 2 pr(H);  2 e : (s"e) 2 pr(K)) 9t 2 ( e) s.t. st 2 pr(H).
Note that H  L(G) is a converter language if and only if its prex closure is also
a converter language. Using the result of Theorem 1 we next show that a necessary and
sucient condition for the existence of a converter is the existence of a nonempty converter
language.
Theorem 3 Given a pair of mismatched protocols G, a service specication K  e, a set
of uncontrollable events u, and a set of observable events o, there exists a converter C
(compatible with control and observation capabilities) such that GkC implements K if and
only if there exists a nonempty converter language.
Proof: We rst prove the necessity. Suppose there exists a converter C such that GkC
implements K. We claim that H := L(GkC) is the the required converter language. Since
C is control and observation compatible, from the necessity part of Theorem 1 it follows
that H is nonempty, prex closed, controllable and observable. Furthermore since GkC
implements K, it follows from Denition 1 that H = L(GkC) also satises the safety and
progress properties of Denition 2. Thus H is a nonempty converter language.
In order to see the suciency, suppose there exists a nonempty converter language H 
L(G). Then pr(H) is nonempty, controllable and observable. So from the suciency of
Theorem 1 it follows that there existsC which is control and observation compatible such that
L(GkC) = pr(H). Furthermore, since H is a converter language, it follows from Denition 2
that it satises the safety and progress properties, which implies GkC implements K as
desired.
Since the set of controllable events for a converter is a contained in the set of its observable
events, i.e.,    u  o, it follows from Theorems 2 and 3 that a language is a converter
language if and only if it satises the properties of controllability, normality, safety, and
progress. This fact can be used to obtain the following corollary which states that the set of
11
converter languages is closed under union so that a supremal one exists. Dene the following
set of converter sublanguages of L(G) which implement the specication K:
Conv(G;K) := fH  L(G) j H is a converter languageg:
Corollary 1 Given G, sets e;u;o, and K  e, the supremal converter language
supConv(G;K) exists.
Proof: First note that since ; is a converter sublanguage, Conv(G;K) 6= ;. Let  be an
indexing set such that for each  2 , H  L(G) is a converter language. We claim thatS
2H is also a converter language, i.e., it satises the conditions of controllability, normal-
ity, safety, and progress. The rst two properties follow from the fact that controllability and











where we have used the fact that prex closure and projection operations commute with
arbitrary union, and each H satises safety. Finally, to see progress, pick s 2 pr(
S
H) =S
 pr(H) and  2  such that (s"e) 2 pr(K). Then there exists  2  such that
s 2 pr(H). Also, since H is a converter language, it satises progress. So there exists
t 2 ( e) such that st 2 pr(H) 
S
 pr(H) = pr(
S
H).
The following theorem provides a concrete condition for the existence of a converter and
forms a basis for the test developed in this paper. It also species a choice for a prototype
converter.
Theorem 4 Let G;K;e;u;o be as in Theorem 3. Then there exists a converter C such
that GkC implements K if and only if supConv(G;K) is nonempty, in which case C can be
chosen to be a generator of supConv(G;K).
Proof: In order to see the necessity suppose there exists a converter. Then from the
necessity part of Theorem 3 there exists a nonempty converter language H 2 Conv(G;K),
which implies supConv(G;K) is nonempty. Suciency follows from the suciency part of
Theorem 3 since supConv(G;K) is a converter language and it is given to be nonempty.
Finally, let C be any generator of supConv(G;K), i.e., L(C) = supConv(G;K), then
L(GkC) = L(G) \ L(C) = L(G) \ supConv(G;K) = supConv(G;K);
where the last equality follows from the fact that supConv(G;K)  L(G). Consequently,
L(GkC) satises the safety and progress properties of Denition 2, which implies GkC
implements K.
From Theorem 4 the task of checking the existence of a converter as well as that of design-
ing one when it exists reduces to the task of computing the supremal converter language and
verifying its non-emptiness. We next present an algorithm for computing supConv(G;K)
assuming that G has nitely many states, say m, and K is a regular language so that it
12
admits a nite state machine representation say S := (Y;e; ; yo) with say n states. For
the motivating example, the state machine representation for K consists of only two states
as shown in Figure 6.
As with the computation of the supremal controllable sublanguage given in [13], the
algorithm for the computation of supConv(G;K) has two steps: In the rst step it constructs
a suciently \rened" version of the state machine G; 1 and in the next step, it removes
certain \bad" states from this rened state machine.
Initially certain states which correspond to traces that violate safety are marked \bad",
i.e., these are the states that are reachable by execution of traces whose projection on external
event set are not prexes of K. If there are no such bad states, then supConv(G;K) equals
L(G). Otherwise, a converter must be designed to restrict the behavior of G so that only
those \good" states remain reachable which correspond to traces that also satisfy progress,
controllability, and normality conditions.
Progress requires that the set of external events that can be executed following the
execution of zero or more internal events from a certain good state should contain the set of
external events executable at the corresponding point in K. If a good state fails to satisfy the
progress, it is marked bad. Controllability requires that no bad state should be reachable
from a good state on an uncontrollable event, since execution of an uncontrollable event
cannot be prevented and the system can uncontrollably reach a bad state from a good state.
So in order to compute supConv(G;K) if there exists an uncontrollable transition from a
good state to a bad one, then that good state is marked bad. Finally, normality requires
that the states corresponding to a set of indistinguishable traces should either be all good
or all bad. So if a good state and a bad state can be reached by the execution of pair
of indistinguishable traces, then that good state is marked bad. The algorithm terminates
when there are no more additional bad states to be marked. Then supConv(G;K) consists
of traces corresponding to the remaining good states, and it is nonempty if and only if the
set of good states is nonempty.
It is clear that the state machine representation of G needs to be suciently rened
so that the states corresponding to the traces violating either of the conditions can be
unambiguously identied. First in order to deal with safety, progress and controllability
conditions we rene the machine G by composing it with the state machine S obtained by
completing the transition function of S. For the motivating example, the state machine S is
shown in Figure 7, in which the dump state is explicitly depicted. Note that L(S) = e as
expected, and given a trace s 2 e, s 2 pr(K) = L(S) if and only if its execution does not
result in the dump state in S. Let G1 := SkG, then since e  , we have
L(G1) = fs 2 L(G) j s"e 2 L(S)g = L(G);
where the last equality follows from the fact that L(S) = e. For notational simplicity let
G1 := (Z;; ; z0). Z := (Y [ fydg)X, where yd is the dump state of S, denotes the state
1Given two state machines Gi := (Xi;; i; x0;i), (i = 1; 2), G1 is said to be a rened version of G2 if
L(G1) = L(G2) and there exists a function h : X1 ! X2 such that h(1(x; )) = 2(h(x); ) for each x 2 X1








Figure 7: Completion of service specication
set of G1,  : Z   ! Z is the transition function, and z0 = (x0; y0) is the initial state.
Note that given a trace s 2 L(G1) = L(G), its execution leads to a state z = (yd; x) in G1 if
and only if s"e 62 pr(K).
Next in order to deal with the normality condition we further rene G1. First we obtain
a nondeterministic state machine G2 that generates all traces that are indistinguishable from
the traces of G1. Since a trace remains indistinguishable when unobservable events are either
inserted or erased, the following construction yields the desired G2:
Algorithm 1 Given G1 := SkG, add transitions in G1 to obtain G2 as follows:
1. For each z 2 Z and  2   o add a self-loop transition (z; ; z).
2. For each transition (z; ; z0) of G1 such that z 6= z0 and  2    o add an epsilon-
transition (z; ; z0).
Step 1 (respectively, 2) in the algorithm has the eect of inserting (respectively, erasing)
unobservable events.
Remark 2 Note that if z is reachable by execution of a trace s in G1, then z is also reachable
by execution of all traces that are indistinguishable from s in G2. So if s
0 2 L(G1) is a trace
indistinguishable from s and if z0 is reachable by execution of s0 in G1, then z
0 is also reachable
by execution of s inG2 (since s is indistinguishable from s
0). In fact the set of states reachable
by execution of s in G2 is the set of states that are reachable in G1 by execution of those
traces in G1 that are indistinguishable from s.
Next using the power-set construction [7] we obtain a deterministic state machine G3
with the same language as L(G2). Finally we construct the machine G4 := G1kG3. Since
L(G3) = L(G2)  L(G1) = L(G), L(G4) = L(G1) \ L(G3) = L(G). We show below that G4
is a suciently rened version of G. We rst outline the construction of G4 in the following
algorithm:
14
Algorithm 2 Given G := (X;; ; x0) and a deterministic generator S := (Y;e; ; y0) of
pr(K), obtain G4 as follows:
1. Obtain S by adding a dump state and completing the transition function of S. (Then
L(S) = e.)
2. Obtain G1 := SkG. (Then L(G1) = L(G), and the state set of G1 is denoted Z.)
3. Obtain the nondeterministic state machine G2 by adding transitions in G1 as described
in Algorithm 1. (Then L(G2)  L(G1), and the state set of G2 is Z.)
4. Obtain G3 by \determinizing" G1 using the power set construction. (Then L(G3) =
L(G2), and the state set of G3 is 2
Z.)
5. Obtain G4 as G1kG3. (Then L(G4) = L(G), and the state set of G4 is Z  2Z.)
Clearly, G4 is a rened version of G. For notational simplicity, let G4 := (R;; ; r0),
where R = Z  2Z is the state set for G4. Note that each state r in G4 is of the form
r = (z; Ẑ), where z 2 Z and Ẑ  Z.  : R  ! R denotes the transition function of G4.
The initial state of G4 is r0 = (z0; fz0g), where z0 := (y0; x0). In the following lemma we list
some of the properties of G4 which demonstrate that it is a suciently rened version of G.
We rst dene the concept of a matching pair of states.
Denition 3 A pair of states r1 = (z1; Ẑ1); r2 = (z2; Ẑ2) 2 R of G4 are said to be a matching
pair if Ẑ1 = Ẑ2.
Lemma 1 The following hold for G4 which is the state machine constructed in Algorithm 2:
1. L(G4) = L(G).
2. Consider s 2 L(G4); then s"e 2 pr(K) if and only if r = ((y; x); Ẑ) := (r0; s) is such
that y 6= yd.
3. If r = (z; Ẑ) 2 R is a state of G4, then z 2 Ẑ.
4. Consider a matching pair of states r1; r2 2 R. Then for each s1 2 L(G) such that
(r0; s1) = r1, there exists s2 2 L(G) such that s2"o = s1"o and (r0; s2) = r2.
Proof: The rst part follows from the construction and is proved above. In order to see the
second part, consider s 2 L(G4) and let r = ((y; x); Ẑ) := (r0; s). Then execution of s"e
in S results in the state y of S. Since L(S) = pr(K), the assertion follows from the fact that
s"e 2 L(S) = pr(K) if and only if y 6= yd.
In order to see the third part, let s 2 L(G4) be such that (r0; s) = r = (z; Ẑ). Then
execution of s results in the state z in G1 and state Ẑ in G3. Since G3 is obtained by
\determinizing" the state machine G2, this implies that execution of s results in each state
ẑ 2 Ẑ in G2. (Recall that G2 is nondeterministic.) Since G2 is obtained by adding transitions
in G1, z is one such state. Hence z 2 Ẑ.
15
Finally in order to see the fourth part, consider a matching pair of states ri = (zi; Ẑ),
i = 1; 2. From the third part we have that z1; z2 2 Ẑ. Consider s1 2 L(G4) such that
(r0; s1) = r1. Then execution of s1 results in state z1 in G1, and each state ẑ 2 Ẑ in G2
(including the states z1 and z2). Then from Remark 2 concerning G2, there exists a trace
s2 2 L(G) indistinguishable from s1, i.e., s2"o = s1"o, such that its execution results in
the state z2 in G1. (If no such trace exists, then z2 cannot be reached by execution of s1 in
G2.) Finally, since s2 is indistinguishable from s1, its execution in G2 also results in the set
of states Ẑ. So the execution of s2 results in the state r2 = (z2; Ẑ) in G4 as desired.
We are now ready to present the algorithm that iteratively marks bad states in G4, and
upon termination yields a generator for supConv(G;K). The notation Rkb  R is used to
denote the set of bad states at the kth iteration.




r = ((y; x); Ẑ) 2 R j y = yd
o










r = (z; Ẑ) 2 R Rkb j 9r
0 = (z0; Ẑ) 2 Rkb
o
S n




If Rk+1b = R
k
b , then stop; else k := k + 1, and go to step 2.
The algorithm initially sets the iteration counter k = 0 and marks a state r = ((y; x); Ẑ) 2
R to be a bad state if its rst coordinate is the dump state, i.e., if y = yd. This is because if
s 2 L(G4) = L(G) is any trace such that (r0; s) = r, then from the second part of Lemma 1,
s"e 62 pr(K), i.e., s violates the safety condition. The set of bad states at the kth iteration
is denoted by Rkb .
In the kth iteration step, a good state r = ((y; x); Ẑ) 2 R  Rkb is marked bad if any of
the following hold: (i) If there exists an uncontrollable event from r to a bad state. This
is because if s 2 L(G4) = L(G) is any trace such that (r0; s) = r, then s violates the
controllability condition. (ii) If there exists a matching bad state r0 2 Rkb . This is because if
s 2 L(G4) = L(G) is any trace such that (r0; s) = r, then from the fourth part of Lemma 1,
there exists a trace s0 indistinguishable from s such that (r0; s
0) = r0, i.e., s violates the
normality condition. (iii) If the set of external events that are executable at state y in S is
not contained in the set of external events that are executable from those good states that
are reached by the execution of zero or more internal events from r in G4. This is because if
s 2 L(G4) = L(G) is any trace such that (r0; s) = r, then s violates the progress condition.
16
The algorithm terminates if no additional bad states are marked in the kth iteration;
else, the iteration counter is incremented by one and the iteration step is repeated. Note
that since G4 has nitely many states, the algorithm is guaranteed to terminate in a nite
number of iterations. Also, since the algorithm marks a state to be a bad state if and only
if all traces that lead to it violate either safety, progress, controllability, or normality, the
state machine obtained by the removal of the terminal set of bad states (and all transitions
leading towards or away from them) from G4 generates the language supConv(G;K). Hence
we obtain the following result stating the correctness of the algorithm.
Theorem 5 Given a nite state machine G and a regular language K  e, Algorithm 3
terminates in a nite number of steps, and the state machine obtained by removal of the
states Rb  R from G4 generates supConv(G;K), where R

b denotes the set of bad states at
the termination of the algorithm.
Remark 3 Let m be the number of states in G and n be the number of states in the
state machine representation of K. Then the computational complexity of Algorithm 3 is
O(m2n222mn) since the number of states in G4 is O(mn2
mn), which implies that there are
O(mn2mn) number of iterations with equally many computations in each iteration. Also,
unless P = NP, no algorithm of polynomial complexity exists. This follows from the fact
that in the special case when e = , the converter design problem reduces to the standard
supervisory control problem under partial observation with the desired behavior constraint
specied as a range of languages, which is known to be an NP-complete problem [30].
5 Implementation Issues and Example Converters
Since the computation of supConv(G;K) is intractable, a computationally tractable
heuristic approach to converter design is desirable. We propose two heuristics and utilize
each to design a converter for the motivating example.
Since the computational intractability arises due to the presence of partial observa-
tion, one possibility is to rst compute the supremal sublanguage of L(G) satisfying safety,
progress, and controllability, and next verify whether it is also normal, each of which can
be done in polynomial time. In case the language is also normal, then it equals the desired
supremal converter language and we are successful in computing it in polynomial time.
We next outline a polynomial time computation of the supremal sublanguage of L(G)
satisfying safety, progress, and controllability. Clearly, this language equals supConv(G;K)
when all events are observable (so that normality trivially holds). Note that when all events
are observable, G2 equals G1, i.e., no transitions are added when Algorithm 1 is invoked, so
G4 also equals G1. Hence the following modication of Algorithm 3 computes the desired
supremal sublanguage of L(G) satisfying safety, progress, and controllability.
Algorithm 4 Given G := (X;; ; x0) and a deterministic generator S := (Y;e; ; y0) of
pr(K), let G1 = (Z;; ; z0) := SkG.
17
1. Initialization step:














If Zk+1b = Z
k
b , then stop; else k := k + 1, and go to step 2.
Using the fact that G1 has O(mn) states, the computational complexity of Algorithm 4
can be determined to be O(m2n2). The algorithm computes the supremal sublanguage of
L(G) that satises safety, progress, and controllability (but may violate normality). The
test whether this language is also normal (with respect to the given set of observable events)
can be performed in O(m(mn)2) = O(m3n2) time [12, p. 103]. In case the test for normality
fails, then as in the work of Cho-Marcus on iterative computation of supremal controllable
and normal sublanguage [4], we can iterate between the supremal normal sublanguage com-
putation and the computation of the supremal language that meets safety, progress, and
controllability until a xed point is reached, which however will result in an exponential
computational complexity. This is outlined in the following algorithm:
Algorithm 5 Given G and K  e, compute the supConv(G;K) as follows:
1. H0 := L(G); k := 0.
2. Compute the supremal sublanguage Ĥk of Hk satisfying safety, progress, and control-
lability using Algorithm 4. If Ĥk is normal, then supConv(G;K) = Ĥk, and stop; else
go to step 3.
3. Compute the supremal normal sublanguage Hk+1 of Ĥk. If Hk+1 satises safety and
progress (Algorithm 6 given below provides a test for safety and progress), then
supConv(G;K) = Hk+1, and stop; else replace G by the generator of Hk+1, set
k := k + 1, and go to step 2.
Remark 4 Note that in the above algorithm we do not need to check the controllability of
Hk+1 in step 3 since it is known that the supremal normal computation preserves controlla-
bility [5, Proposition 3.9]. Also, in step 3 if Hk+1 does not satisfy safety and progress, then
we need to compute its supremal sublanguage satisfying safety and progress. We can use
Algorithm 4 for doing this (although in this case the controllability trivially holds). How-
ever, we need to replace G by the generator of Hk+1 since Algorithm 4 only computes the
supremal sublanguage of L(G) satisfying safety, progress, and controllability.
18
We have written a C-program for Algorithm 5 (and the associated Algorithm 4) that
utilizes a nite state machine library originally developed for supervisory control [26]. Using
the program for Algorithm 4 we rst computed the supremal sublanguage of L(G) satisfying
controllability, safety, and progress for the example. The state machine G, which is the
composition of Alternating Bit sender, Alternating Bit channel, and Nonsequenced receiver
contains 66 states. The composition of G with S (which has three states) contains 198 states.
The initial iteration of the safety check disqualied 66 states. The next iteration which
performs controllability and progress checks disqualied additional 34 states. No additional
states were disqualied in the next iteration of controllability and progress checks. This
resulted in a test converter with 198  (66+ 34) = 98 states. The test converter also passed
the normality test; thus qualifying it as a valid converter.
A second possible heuristic is to guess a test converter C and verify its correctness by
checking whether L(GkC) is a converter language, which as we show below can be done in
polynomial time. First note that it is not dicult to guess a converter; a simple possibility is
to design a system that emulates the missing portions of the mismatched protocols, i.e., the
receiver protocol Pr of P and the sending protocol Qs of Q. For the motivating example the
\guess converter" we consider below emulates the functions of the Alternating Bit receiver
and the Nonsequenced sender.
In order to test whether L(GkC) is a converter language, we must check whether it satis-
es controllability, normality, safety, and progress. Polynomial time tests for controllability
and normality can be found in [12, pp. 75, 103]. Here we present a polynomial time test for
safety and progress. For notational simplicity let G5 := GkC and let its state set be . We
rst rene G5 by composing it with S. For notational simplicity, let G6 := SkG5 and let its
state set be  := (Y [ fydg). Note that since e  ,
L(G6) = fs 2 L(G5) j s"e 2 L(S)g = L(G5);
where the last equality follows from the fact that L(S) = e. Also, given a trace s 2 L(G6) =
L(G5), its execution leads to a state  = (yd; ) if and only if s"e 62 pr(K). So for L(G5)
to satisfy safety, no state  of G6 should be of the form (yd; ). Also for L(G5) to satisfy
progress, the set of external events that can be executed following the execution of zero or
more internal events from each state  = (y; ) in G6 should contain the set of external
events executable at the corresponding state y in S. So we have the following algorithm for
checking safety and progress:
Algorithm 6 Consider the composition of mismatched protocols G, a test converter C, and
a deterministic generator S of pr(K).
1. Construct G5 := GkC, and denote its state set by .
2. Construct G6 := SkG5, and denote its state set by .
3. Then L(GkC) satises safety and progress if and only if
8 = (y; ) 2  : [y 6= yd] ^
h





If the number of states in the converter is p, then the computational complexity of the algo-
rithm is O(m2n2p2) since G6 has O(mnp) states and equally many reachability computations
need to be performed.
A test converter for the motivating example is shown in Figure 8. The converter adopts











Figure 8: A test converter
the following simple conversion strategy. Initially when one or more data packets with label
0 arrive (event +d0), it removes the label and forwards a single data packet to the receiver
(event +D). No action is taken at this point if more copies of the same data packet arrive
(due to a sender timeout). When the receiver transmits an acknowledgment (event -A),
the converter attaches the label 0 and puts it onto the sender's channel (event -a0). The
procedure is repeated when data packets with a dierent label arrive (except for the dierence
in the label used). However, if another data packet with the same label arrives (due to a
sender timeout or a loss of acknowledgment in the channel), then the same acknowledgment
is retransmitted.
We have veried that L(GkC) (where G = PskPckQr) satises safety, progress, control-
lability, and normality, i.e., it is a converter language. Since L(GkC) is obviously nonempty,
it follows from Theorem 3 that C is indeed a valid converter.
6 Conclusion
In this paper we have studied the problem of designing protocol converters that need
to be interposed between a pair of mismatched protocols. Our approach is systematic and
is based on the recent theory of supervisory control of discrete event systems. The work
presented here provides a new framework for protocol converter designers on one hand, and
serves as an application for the supervisory control theorists on the other hand. The basic
concepts of controllability, observability, normality, and computation of supremal languages
from supervisory control, and safety, and progress from protocol design play important role
in the protocol conversion problem. The converter that we derive is maximally permissive
20
in the sense that any other converter will further restrict the behavior of the entire system.
However, the maximally permissive converter may not have a minimal number of states.
Design of such minimal converters is an interesting problem for future research.
References
[1] R. D. Brandt, V. K. Garg, R. Kumar, F. Lin, S. I. Marcus, and W. M. Wonham.
Formulas for calculating supremal controllable and normal sublanguages. Systems and
Control Letters, 15(8):111{117, 1990.
[2] K. Calvert and S. S. Lam. Formal methods of protocol conversion. IEEE Journal on
Selected Areas in Communication, 8(1):127{142, January 1990.
[3] E. Chen and S. Lafortune. Dealing with blocking in supervisory control of discrete event
systems. IEEE Transactions on Automatic Control, 36(6):724{735, 1991.
[4] H. Cho and S. I. Marcus. On supremal languages of class of sublanguages that arise in
supervisor synthesis problems with partial observations. Mathematics of Control Signals
and Systems, 2:47{69, 1989.
[5] R. Cieslak, C. Desclaux, A. Fawaz, and P. Varaiya. Supervisory control of discrete
event processes with partial observation. IEEE Transactions on Automatic Control,
33(3):249{260, 1988.
[6] C. A. R. Hoare. Communicating Sequential Processes. Prentice Hall, Inc., Englewood
Clis, NJ, 1985.
[7] J. E. Hopcroft and J. D. Ullman. Introduction to Automata Theory, Languages and
Computation. Addison-Wesley, Reading, MA, 1979.
[8] K. Inan. Supervisory control and formal methods for distributed systems. In Discrete
Event Systems: Modeling and Control (Proceedings of WODES 1992), pages 29{41.
Birkhauser-Verlag-Basel, 1993.
[9] K. Inan. Supervisory control: Theory and application to the gateway synthesis prob-
lem. In Belgian-French-Netherlands Summer School on Discrete Event Systems, page
25 pages. Spa, Belgium, 1993.
[10] K. Inan. Nondeterministic supervision under partial observations. In Guy Cohen and
Jean-Pierre Quadrat, editors, Lecture Notes in Control and Information Sciences 199,
pages 39{48. Springer-Verlag, New York, 1994.
[11] R. kumar and M. Fabian. On supervisory control of partial specication arising in
protocol conversion. In 1997 IASTED Control Conference, Cancun, Mexico, May 1997.
Submitted.
21
[12] R. Kumar and V. K. Garg. Modeling and Control of Logical Discrete Event Systems.
Kluwer Academic Publishers, Boston, MA, 1995.
[13] R. Kumar, V. K. Garg, and S. I. Marcus. On controllability and normality of discrete
event dynamical systems. Systems and Control Letters, 17(3):157{168, 1991.
[14] R. Kumar, S. Nelvagal, and S. I. Marcus. Design of protocol converters: A discrete
event systems approach. In Proccedinds of 1996 International Workshop on Discrete
Event Systems, pages 7{12, Edinburgh, UK, August 1996.
[15] R. Kumar, S. Nelvagal, and S. I. Marcus. Protocol conversion using supervisory control
techniques. In Proceedings of 1996 IEEE CCA/ISIC/CACSD, pages 32{37, Dearborn,
MI, September 1996.
[16] R. Kumar and M. A. Shayman. Automata-theortic tests for observability and co-
observability. In Proceedings of 1995 IEEE Conference on Decision and Control, pages
919{920, New Orleans, LA, 1995.
[17] Simon S. Lam. Protocol conversion. IEEE Transactions on Software Engineering,
14(3):353{362, March 1988.
[18] F. Lin and W. M. Wonham. On observability of discrete-event systems. Information
Sciences, 44(3):173{198, 1988.
[19] F. Lin and W. M. Wonham. Supervisory control of timed discrete event systems under
partial observation. IEEE Transactions on Automatic Control, 40(3):558{562, 1995.
[20] Kaoru Okumura. A formal protocol conversion method. Proceedings ACM SIGCOMM,
pages 30{37, 1986.
[21] JR P. E. Green. Protocol conversion. IEEE Transactions on Communications, COM-
34(3):257{268, March 1986.
[22] P. J. Ramadge and W. M. Wonham. On the supremal controllable sublanguage of a
given language. SIAM Journal of Control and Optimization, 25(3):637{659, 1987.
[23] P. J. Ramadge and W. M. Wonham. Supervisory control of a class of discrete event
processes. SIAM Journal of Control and Optimization, 25(1):206{230, 1987.
[24] P. J. Ramadge and W. M. Wonham. The control of discrete event systems. Proceedings
of IEEE: Special Issue on Discrete Event Systems, 77:81{98, 1989.
[25] K. Rudie and W. M. Wonham. Supervisory control of communicating processes. In
L. Logrippo, R. L. Robert, and H. Ural, editors, Protocol Specication, Testing and
Verication, pages 243{257. Elsevier Science Publishers, North-Holland, 1990.
22
[26] Himanshu A. Sanghavi. A software library for discrete event systems and other nite
state machine based applications. Master's thesis, University of Texas, Austin, 1991.
[27] S. Takai, A. Takae, and S. Kodama. The extremal languages arising in supervisory
control for service specications. In Proceedings of 1996 IEEE Conference on Decision
and Control, Kobe, Japan, December 1996.
[28] A. S. Tanenbaum. Computer Networks. Prentice Hall, Inc., Englewood Clis, NJ, 1990.
[29] J. G. Thistle. Logical aspects of control of discrete event systems: a survey of tools and
techniques. In Guy Cohen and Jean-Pierre Quadrat, editors, Lecture Notes in Control
and Information Sciences 199, pages 3{15. Springer-Verlag, New York, 1994.
[30] J. N. Tsitsiklis. On the control of discrete event dynamical systems. Mathematics of
Control Signals and Systems, 2(2):95{107, 1989.
23
