Abstract-This paper describes a framework for compositional supervisor synthesis, which is applicable to all discrete event systems modeled as a set of deterministic automata. Compositional synthesis exploits the modular structure of the input model, and therefore works best for models consisting of a large number of small automata. The state-space explosion is mitigated by the use of abstraction to simplify individual components, and the property of synthesis equivalence guarantees that the final synthesis result is the same as it would have been for the non-abstracted model. The paper describes synthesis equivalent abstractions and shows their use in an algorithm to efficiently compute supervisors. The algorithm has been implemented in the DES software tool Supremica and successfully computes nonblocking modular supervisors, even for systems with more than reachable states, in less than 30 seconds.
It is known [1] that for a given plant and specification, a unique least restrictive, controllable, and nonblocking supervisor exists. Straightforward synthesis algorithms explore the complete monolithic state-space of the considered system, and are therefore limited by the well-known state-space explosion problem. The sheer size of the supervisor also makes it humanly incomprehensible, which hinders acceptance of the synthesis approach in industrial settings.
Various approaches for modular and compositional synthesis have been proposed to overcome these problems. Some of these approaches [3] , [6] rely on structure provided by users and hence are hard to automate. Other early methods [7] , [8] only consider the synthesis of a least restrictive controllable supervisors, ignoring nonblocking. Supervisor reduction [9] and supervisor localization [10] greatly help to reduce synthesized supervisors in size, yet rely on a supervisor to be constructed first and thus remain limited by its size.
Compositional methods [11] use abstraction to remove states and transitions that are superfluous for the purpose of synthesis. The most common abstraction method is natural projection which, when combined with the observer property, produces a nonblocking but not necessarily least restrictive supervisor [3] . If output control consistency is added as an additional requirement, least restrictiveness can be ensured [12] . Output control consistency can be replaced by a weaker condition called local control consistency [13] .
Conflict-preserving abstractions [4] and weak observation equivalence [5] can be used as abstractions for the synthesis of nonblocking supervisors. In these works it is assumed that, when an event is abstracted, supervisor components synthesized at a later stage cannot observe or disable that event. This makes abstracted events unobservable and removes some possibilities of control.
Halfway synthesis [14] and local supervisors [5] are different strategies to avoid uncontrollable transitions to blocking states. Local supervisors [5] remove the source states of these transitions by disabling some controllable events. This may cause unnecessary disablements as it may be discovered later that some uncontrollable transitions are disabled by other plants. Halfway synthesis [14] defers the decision to remove states and retains uncontrollable transitions until it is clear that they cannot be disabled by any other component.
In [5] , [14] , and [15] , synthesis is considered in a nondeterministic setting, which leads to some problems when interpreting results and ensuring least restrictiveness. These problems are overcome to some extent by synthesis abstraction [16] [17] [18] [19] . Several compositional synthesis methods require all 0018-9286 © 2013 IEEE automata and their abstraction results to be deterministic, which makes some desirable abstractions impossible. Following ideas from [20] [21] [22] , renaming is used in [16] to avoid nondeterminism after abstraction. This paper presents a compositional synthesis approach with abstraction methods that guarantee the preservation of the final synthesis result. A data structure called synthesis triple is introduced to combine abstraction methods [14] , [16] [17] [18] [19] together with renaming. This is a general framework intended for use with a variety of present and future means of abstraction. The implementation presented in this paper uses halfway synthesis, which is adapted from [14] and observation equivalence-based abstractions [18] , [19] , which have higher abstraction potential than methods based on natural projection [18] . These methods allow for the abstraction of observable events in such a way that abstracted events can still be used by supervisor components synthesized at a later stage. Nondeterminism after abstraction is avoided using renaming [20] [21] [22] as proposed in [16] .
These results are combined in a general framework for compositional synthesis, and an algorithm is proposed to compute modular supervisors that are least restrictive, controllable, and nonblocking. This is a completely automatic synthesis method, applicable to general discrete event systems, provided that they are represented as a set of deterministic finite-state automata. The algorithm has been implemented in the DES software tool Supremica [23] and applied to compute modular supervisors for several large industrial models. It successfully computes modular supervisors, even for systems with more than reachable states, within 30 seconds and using no more than 640 MB of memory.
In the following, Section II briefly introduces the background of supervisory control theory, and Section III gives a motivating example to informally illustrate compositional synthesis and abstraction. Next, Section IV explains compositional synthesis and the idea of synthesis equivalence underlying the compositional algorithm. Then, Section V presents different ways of computing abstractions that preserve synthesis equivalence. The algorithm for the proposed compositional synthesis procedure is described in Sections VI, and VII applies the algorithm to several benchmark examples. Some concluding remarks are drawn in Section VIII. Formal proofs of technical results are omitted from this paper and can be found in [24] .
II. PRELIMINARIES

A. Events and Languages
The behavior of discrete event systems can be described using events and languages. Events represent incidents that cause transitions from one state to another and are taken from a finite alphabet . For the purpose of supervisory control, this alphabet is partitioned into two disjoint subsets, the set of controllable events and the set of uncontrollable events. Controllable events can be disabled by a supervisor, while uncontrollable events may not be disabled by a supervisor. In addition, the special termination event is used, with the notation .
is the set of all finite traces of events from , including the empty trace . A subset is called a language. Synchronous composition is associative, that is, . Another common automaton operation is the quotient modulo an equivalence relation on the state set.
Definition 3: Let be a set. A relation is called an equivalence relation on if it is reflexive, symmetric, and transitive. Given an equivalence relation on , the equivalence class of is , and is the set of all equivalence classes modulo .
Definition 4:
Let be an automaton and let be an equivalence relation. The quotient automaton of modulo is (2) where and .
C. Supervisory Control Theory
Given a plant automaton and a specification automaton , a supervisor is a controlling agent that restricts the behavior of the plant such that the specification is always fulfilled. Supervisory control theory [1] provides a method to synthesize a supervisor. Two common requirements for the supervisor are controllability and nonblocking. Again, the subscript is omitted when , i.e., . The supremal element is defined based on the subautomaton relationship (Def. 7). The result is equivalent to that of traditional supervisory control theory [1] . That is, represents the behavior of the least restrictive supervisor that disables only controllable events in such that nonblocking is ensured.
The supervisor can be represented as a map that assigns to each trace a control decision such that , consisting of the events to be enabled after observing the trace . A supervisor can only disable controllable events and leaves all uncontrollable events enabled [1] , [22] . An automaton can also implement a supervisor map, using (4) 
If
, then controllability and nonblocking are ensured. The supervisor automaton can be computed using a fixpoint algorithm, which iteratively identifies and removes from blocking states and states leading to blocking states via uncontrollable events [14] .
In this paper, the supervisor has a modular structure, , consisting of a set of supervisor automata. The combined global supervisor can be constructed by applying the formal definition of synchronous composition (5) In practice, the supervisor can be represented in its modular form, and synchronization is performed online, tracking the component states as the system evolves. In this way, explicit synchronous product computation and state-space explosion are avoided. Based on this, supervisors are identified with automata or sets of automata in the following.
The operator only defines the synthesis result for a plant automaton . In order to apply this synthesis to control problems that also involve specifications, the transformation proposed in [14] is used. Specification automata are transformed into plants by adding, for every uncontrollable event that is not enabled in a state, a transition to a new blocking state . This essentially transforms all potential controllability problems into potential blocking problems.
Definition 8: [14] Let be a specification. The complete plant automaton for is (6) where is a new state and and (7) for some
In general, synthesis of the least restrictive nonblocking and controllable behavior allowed by a specification with respect to a plant is achieved by computing [14] .
III. MOTIVATING EXAMPLE
This section demonstrates compositional synthesis using the example of a simple manufacturing system shown in Fig. 1 . Two machines and are linked by two buffers and that can store one workpiece each. The first machine takes workpieces from outside the system (event ), processes them, and puts them into (event ). also takes workpieces from (event ), processes them, and outputs them from the system (event ). Machine takes workpieces from (event ), processes them, and puts them into (event ). Using switches and , the user can suspend (event ) and resume (event ) production of or , respectively. Fig . 2 shows an automata model of the system. All events are observable, and uncontrollable events are prefixed by an exclamation mark . Automata , , , and are plants. For illustration, the two switches are not identical. models a requirement for the synthesized supervisor to prevent starting of in suspend mode, while models a plant where it is physically impossible to start in suspend mode. Automata and are specifications to avoid buffer overflow and underflow, which are transformed into complete plant automata and (Def.8). To satisfy these specifications, a supervisor must be synthesized for the system.
The compositional synthesis procedure is a sequence of small steps. At each step, automata are simplified and replaced by abstracted versions such that the supervisor synthesized from the abstracted system yields the same language when controlling the system as would the supervisor synthesized from the original system. Synchronous composition is computed step by step on the abstracted automata. In addition to synchronization and abstractions, a supervisor component may also be produced at each step. In the end, the procedure results in a single abstracted automaton, which is simpler than the original system, and standard synthesis is applied to this abstracted automaton.
Initially, the system is . In the first step of compositional synthesis, individual automata are abstracted if possible. Events and only appear in automaton , and such events are referred to as local events. Exploiting local events, states and in can be merged, as synthesis will always remove either none or both of these states. Automaton can then be replaced by a synthesis equivalent automaton shown in Fig. 3 . Automaton is a selflooponly automaton that always enables all its events, so it can be disregarded in the synthesis.
Similarly, events and are local to automaton , so the same abstraction method can be applied. However, an attempt to compute an abstraction as before results in the nondeterministic automaton shown in Fig. 3 . A correct supervisor needs to be aware of the states of in order to decide whether or not to enable controllable event , and it is not straightforward to construct such a supervisor only from the abstraction . To solve the nondeterminism problem, event in is replaced by two new events and . This procedure is referred to as renaming. Automaton is replaced by the renamed deterministic automaton shown in Fig. 3 , and automaton , which is the renamed version of , is stored as a distinguisher in a set of collected supervisors. It is the first component of the supervisor to be computed in the end.
Having replaced in , automata , and need to be modified to use the new events and . Therefore, and are replaced by and shown in Fig. 3 . These automata are constructed by replacing the -transitions in and by transitions labeled and . After this, events and only appear in selfloops in the entire system, and as a result no state change is possible by executing these events. Thus, the selfloops associated with these events can be removed, which results in the abstracted automaton shown in Fig. 3 . Next, events and are local events in . States and can be merged. However, since is not a local event, and cannot be merged since can be a blocking state if is disabled by other components. Fig. 4 shows the abstracted automaton . Furthermore, event now only appears in a selfloop in the entire system and thus, the selfloop associated with this event can be removed from , resulting in the abstracted automaton shown in Fig. 4 . At this point, the system has been simplified to . None of these automata can be simplified further, so the next step is to compose some of them. Fig. 5 shows the composition of and , which causes to become a local event. Clearly, the blocking state in must be avoided, and since the uncontrollable event only appears in this automaton, this means that state also must be avoided. Then controllable event must be disabled in . Therefore, automaton is replaced by the synthesis equivalent abstraction shown in Fig. 5 . This is a special case of halfway synthesis [14] , explained in more detail in Section V-B. The abstracted automaton is added to the set of collected supervisors to enable the final supervisor to make the control decision for . Furthermore, since is a local uncontrollable event, states and in can be merged, which results in the synthesis equivalent automaton shown in Fig. 5 . Then event is always enabled in
, and only appears on selfloop transitions, and only appears on selfloops in the entire model. Thus, these events can be removed, resulting in shown in Fig. 5 . A similar procedure is applied to . Exploiting the local event results in the abstracted automata , , and shown in Fig. 6 . After all these abstractions, the uncontrolled plant model is , and the collected supervisor set is . The last two steps are to compose the automata in , resulting in the eight-state automaton shown in Fig. 7 , and to calculate a supervisor for this automaton. This supervisor is in Fig. 7 and has four states. Adding it to the set results in the nonblocking modular supervisor (8) which is the least restrictive, controllable and nonblocking supervisor, and produces the exact same controlled behavior as would a monolithic supervisor calculated for the original system . The largest component of the modular supervisor is with four states, and it has been computed by exploring the state space of with eight states. In contrast, standard monolithic synthesis explores a state space of 138 states and produces a single supervisor with 52 states.
The example demonstrates how compositional synthesis works. In the sequel, Section IV explains the concepts formally and shows how the renamed supervisor can control the unrenamed plant, and Section V describes the individual abstraction methods.
IV. COMPOSITIONAL SYNTHESIS
This section describes the compositional synthesis framework. The data structure of synthesis triples is introduced, which represents partially solved synthesis problems in the algorithm. Based on this, a control architecture is presented to implement the computed supervisors after renamings.
A. Basic Idea
The input to compositional synthesis is an arbitrary set of deterministic automata representing the plant to be controlled:
The objective is to calculate a supervisor that constrains the behavior of to its least restrictive nonblocking sub-behavior, by disabling only controllable events.
Compositional synthesis works by repeated abstraction of system components based on local events; events that appear in and in no other automata with are local to , and they are crucial to abstraction. In the following, the set of local events is denoted by , and denotes the set of non-local or shared events.
Using abstraction, some components in (9) are replaced by simpler versions . If this is no longer possible, some components in (9) are selected and composed, i.e., replaced by their synchronous composition. This typically leads to new local events, making further abstraction possible.
When an abstraction is computed, this may lead to the discovery of new supervisor decisions. For example, if contains a controllable transition leading to a blocking state, it is clear that this transition must be disabled by every supervisor. Therefore, abstraction may produce a supervisor component in addition to the abstracted automaton . The algorithm collects these supervisor components in a set , called the set of collected supervisors. Abstraction may also result in nondeterminism, which is avoided by applying a renaming.
Thus, compositional synthesis starts with the set of plant automata (9) , no collected supervisors, and no renaming. At each step, plant automata are replaced by the result of abstraction or synchronous composition, supervisors are added to , and the renaming is modified. Eventually, only one plant automaton is left, which is removed from and used to calculate the final supervisor to be added to . Then becomes empty and the collected supervisors , together with the renaming , form a least restrictive supervisor for the original synthesis problem.
B. Renaming
Nondeterminism is avoided in the compositional synthesis algorithm, because it is not straightforward to compute supervisors from nondeterministic abstractions. If an abstraction step results in a nondeterministic automaton, a renaming is applied first, introducing new events to disambiguate nondeterministic branching.
The use of renaming to disambiguate abstractions is proposed in [21] . In the following, a renaming is a map that relates the events of the current abstracted system to the events in the original plant, which works in the reverse direction compared to [21] .
Definition 9: Let and be two sets of events. A renaming is a controllability-preserving map, i.e., a map such that is controllable if and only if is controllable. For example, when event is disambiguated into and in automaton in Fig. 3 in the introductory example, the renaming is such that and for all other events.
The definition of is extended to cover the termination event by letting . Renamings are extended to traces by applying them to each event, and to languages by applying them to all traces. They are also extended to automata with alphabet by replacing all transitions with . When new events are introduced, the compositional synthesis algorithm continues to operate using the new events and thus produces a supervisor based on an alphabet different from that of the original plant. To communicate correctly with the original plant, the supervisor needs to determine which of the new events or is to be executed when the plant generates one of its original events . This is achieved by adding a so-called distinguisher [20] 
, it holds that . Based on Def. 11, a distinguisher differentiates between the renamed events. Furthermore, two traces accepted by a distinguisher never differ only in the renamed events. This guarantees that only one of the renamed events is enabled at each state. In the introductory example, automaton in Fig. 3 is a -distinguisher that differentiates from . This is because enables at most one of the events and in each state, so it can always make a choice between these two events.
Another operation is necessary in combination with renaming. After applying a renaming to an automaton in a system , the remaining automata with and the collected supervisors, , need to be modified to use the new events.
Definition 12: Let be an automaton, and let be a renaming. Then where . Automaton is obtained by replacing transitions labeled with the original event by new transitions labeled with each of the new events. For example, Fig. 3 in the introductory example shows and , which replace the original plants and after the renaming. When a renaming is applied, the distinguisher is the only automaton that differentiates between the renamed events, all others are transformed by . The compositional synthesis algorithm proposed in the following repeatedly applies renamings and eventually produces a supervisor using a modified alphabet , and a renaming that maps the renamed events back to the events of the original plant. The control architecture in Fig. 8 enables the renamed supervisor to interact with the original unrenamed plant .
Assume that, after execution of a trace , an event occurs in the plant, and has been renamed and replaced by and . Being unaware of the renaming, the plant will just communicate the occurrence of to the supervisor. When this happens, first the function replaces by the set , sending both possibilities to the distinguisher , which is part of the set of collected supervisors. Following Def. 11, enables only one of or . The selected event , either or , is passed to the remaining components of the supervisor, , to update their states and issue a new control decision . Here, is the renamed version of the history . The control decision is based on the renamed model and therefore contains renamed events, so the renaming is applied to translate it back to a control decision using the original plant events.
C. Synthesis Triples
The compositional synthesis algorithm keeps track of three pieces of information:
• a set of uncontrolled plant automata; • a set of collected supervisor automata; • a renaming that maps the events of the automata in back to events of the original plant. This information is combined in a synthesis triple, which is the main data structure manipulated by the compositional synthesis algorithm.
Definition 13: A synthesis triple is a triple , where and are sets of deterministic automata and is a renaming, such that i) ; ii) is a -distinguisher; iii) for all events such that , there exists at most one automaton that differentiates from . Here and in the following, sets and are also used to denote the synchronous composition of their elements, like . When then is the universal automaton that accepts the language .
A synthesis triple represents a partially solved control problem at an intermediate step of compositional synthesis. The set contains an abstracted plant model, and contains the supervisors collected so far, which must constrain the behavior of the plant (i). The renaming maps the events found in the abstracted plant or collected supervisors back to events in the original plant. The synchronous composition of the supervisors is required to have the distinguisher property (ii) to ensure that it can be used with the control architecture in Fig. 8 . Furthermore, if two events and are renamed to the same event, then there can be at most one automaton in the set that differentiates between these events (iii).
The following notation associates with each synthesis triple a synthesis result.
Definition 14: Let be a synthesis triple. Then (10) The synthesis result for the partially solved control problem is obtained by composing the monolithic supervisor for the remaining plants,
, with the supervisors collected so far, , and afterwards renaming.
1) Example 1:
At the final step of the compositional synthesis in Section III, the abstracted uncontrolled system is , the collected supervisor set is , and the renaming is such that and for . This is represented by the synthesis triple . The synthesis result for this triple is obtained by calculating a monolithic supervisor for the abstracted uncontrolled plant, , which is added to the supervisor set, ; and afterwards all components are renamed back. This gives . As explained in Section IV-B, the synchronous composition never has to be computed explicitly as it can be represented in its modular form.
While manipulating synthesis triples, the compositional synthesis algorithm maintains the invariant that all generated triples have the same synthesis result, which is equivalent to the least restrictive solution of the original control problem. Every abstraction step must ensure that the synthesis result is the same as it would have been for the non-abstracted components. This property is called synthesis equivalence [16] .
Definition 15: Two triples and are synthesis equivalent , if
The compositional synthesis algorithm calculates a modular supervisor for a modular system . Initially no renaming has been applied and no supervisor or distinguisher has been collected. Thus, this input is converted to the initial synthesis triple , where is the identity map, i.e., for all . Afterwards, the initial triple is abstracted repeatedly such that synthesis equivalence is preserved: (12) Some of these steps replace an automaton in by an abstraction, others reduce the number of automata in by synchronous composition or by replacing an automaton in with a supervisor in . The algorithm terminates when , at which point together with forms the modular supervisor. The following result, which follows directly from Def. 14 and 15, confirms that this approach gives the same supervised behavior as a monolithic supervisor for the original system.
Theorem 2: Let be a set of automata, and let . Then .
V. SYNTHESIS TRIPLE ABSTRACTION OPERATIONS
The idea of compositional synthesis is to continuously rewrite synthesis triples such that synthesis equivalence is preserved. This section gives an overview of different ways to simplify automata that can be used in the framework of this paper. Sections V-A and V-B present abstraction methods from [1] , [14] , which here are adapted to synthesis triples, and Sections V-C and V-D describe methods proposed by the authors in [16] , [18] . Further details and formal proofs of correctness can be found in [24] .
A. Basic Rewrite Operations
The simplest methods to rewrite synthesis triples are synchronous composition and monolithic synthesis. It is always possible to compose two automata in the set of uncontrolled plants, or to place their monolithic synthesis result into the set of supervisors. These basic methods are included here for the sake of completeness. They do not contribute to simplification, and are only needed when no other abstraction is possible.
Theorem 3: Let and , let be a renaming, and let be a -distinguisher. Then . Theorem 4: Let be a synthesis triple. Then .
B. Halfway Synthesis
Halfway synthesis is an abstraction method that works well in compositional synthesis [14] . Sometimes it is clear that certain states in an automaton must be removed in synthesis, no matter what the behavior of the rest of the system is. Clearly, blocking states can never become nonblocking. Moreover, local uncontrollable transitions to blocking states must be removed, because no other component nor the supervisor can disable a local uncontrollable transition.
Definition 16: Let and . The halfway synthesis result for with respect to is (13) where , , and
and (14) does not hold
Halfway synthesis is calculated like ordinary synthesis, but considering only local events as uncontrollable. Shared uncontrollable transitions to blocking states do not necessarily cause blocking, as some other plant component may yet disable them. Therefore, these transitions are retained and redirected to the blocking state instead.
Example 2: Consider automaton in Fig. 9 with and . State is blocking, so is also considered as unsafe, because the local uncontrollable -transition cannot be disabled by the supervisor nor by any other plant component. Every nonblocking supervisor can and will disable the controllable transitions and . State may still be safe, because some other plant component may disable the shared events and . The blocking state is added and the -and -transitions are redirected to in the halfway synthesis result , see Fig. 9 . This ensures that later synthesis is aware of the potential problem regarding or .
The following theorem extends a result about halfway synthesis for supervision equivalence using state labels [14] to the more general framework of synthesis triples.
Theorem 5: Let be a synthesis triple with , and let such that . Then . Complexity: Halfway synthesis can be achieved using a standard synthesis algorithm [1] and runs in time complexity , where and are the numbers of states and transitions of the input automaton.
C. Renaming and Selfloop Removal
Another way of rewriting a synthesis triple is by renaming. As explained in Section IV, an automaton can be rewritten into using a renaming such that and is a -distinguisher. Then is added to the set of supervisors as a distinguisher, and the renaming is composed with the previous renamings.
Theorem 6: Let be a synthesis triple with , let be a renaming, and let be a -distinguisher such that and . Then . In compositional verification, events used in only one automaton can immediately be removed from the model [11] . This is not always possible in compositional synthesis. Even if no other automata use an event, the synthesized supervisor may still need to use it for control decisions that are not yet apparent. Therefore, events can only be removed if it is clear that no further supervisor decision depends on them.
An event can be removed from a synthesis triple, if it causes no state change, which means that it appears only on selfloop transitions in the automata model. In this case, can be removed from all automata. This step is called selfloop removal and formally described in Theorem 7. 
D. Abstraction Based on Observation Equivalence
This section gives an overview of previous results on observation equivalence-based abstractions for synthesis purposes. Bisimulation and observation equivalence [27] provide well-known abstraction methods that work well in compositional verification [11] . Both can be implemented efficiently [28] . They are known to preserve all temporal logic properties [29] , but unfortunately this does not help for synthesis [18] . Synthesis equivalence is preserved when an automaton is replaced by a bisimilar automaton, while observation equivalence must be strengthened to achieve the same result. This can be achieved by synthesis observation equivalence [18] and weak synthesis observation equivalence [19] . . Then it holds that . Bisimulation is the strongest of the branching process equivalences. Two states are treated as equivalent if they have exactly the same outgoing transitions to the same or equivalent states. Theorem 8 confirms that it is possible to merge bisimilar states in a plant automaton in a synthesis triple while preserving synthesis equivalence.
Bisimulation does not consider local events for abstraction. However, better abstraction can be achieved by differentiating between local and shared events. This is the idea of observation equivalence, which considers two states as equivalent if they can reach equivalent states by the same sequences of shared events. Fig. 10 , states and can be considered as observation equivalent with respect to . Merging these states results in , also shown in Fig. 10 . Unfortunately, observation equivalence in general does not imply synthesis equivalence, so Theorem 8 cannot be generalized for observation equivalence [18] .
Example 4: Consider again the observation equivalent automata in Fig. 10, with and . The triples and are not synthesis equivalent. With , a supervisor can disable the local controllable event to prevent entering state and thus the occurrence of the undesirable uncontrollable , but this is not possible with . It holds that while . There are different ways to restrict observation equivalence so that it can be used in compositional synthesis. The problem in Example 4 does not arise if the local events and are uncontrollable. In fact, a result similar to Theorem 8 holds if observation equivalence is restricted to uncontrollable events [18] . With controllable events, abstraction is also possible, but two other issues must be taken into account.
Example 5: Consider automaton in Fig. 11 with and . Merging of observation equivalent states results in , but states and should not be merged for synthesis purposes. Although both states can reach the same states via the controllable event , possibly preceded and followed by the local event , the transition must always be disabled to prevent blocking via the local uncontrollable event , while the transition may be enabled. When used in a system that requires to occur for correct behavior, such as in Fig. 11 , state is retained in synthesis while is removed. The triples and are not synthesis equivalent as but . Example 6: Consider automaton in Fig. 12 with and . Merging of observation equivalent states results in , but states and should not be merged for synthesis purposes. In , states and should be avoided to prevent blocking in state via the local uncontrollable event . Thus, should be disabled in and , making a blocking state, while remains nonblocking due to the transition . The triples and are not synthesis equivalent as but . The problem in Example 5 is caused by considering the path as equivalent to to justify states and to be merged. However, the path passes through the unsafe state , while does not pass through any unsafe states. This situation can be avoided by only allowing local events before a controllable event. That is, for and it is required that there exists such that and . In Example 5, the local events in are all uncontrollable. Controllable events can lead to the problem in Example 6. They can be allowed under the additional condition that their target states are equivalent to the start state of the path.
Imposing such conditions on observation equivalence results in synthesis observation equivalence, which preserves synthesis results in a way similar to Theorem 8 [18] . with an outgoing controllable event to be equivalent to another state , if that state allows the same controllable event, possibly after a sequence of local events. If that sequence includes a controllable transition , its target state must be equivalent to the start states . Condition ii) is similar to observation equivalence, but restricted to uncontrollable events. The projection is used in the definition to ensure that the conditions i) and ii) apply to both local and shared events.
Example 7: Consider automaton in Fig. 13 , with all events controllable and . An equivalence relation with and is a synthesis observation equivalence on . Merging the equivalent states results in the deterministic automaton shown in Fig. 13 . Note that and in are not synthesis observation equivalent, because but , and the local event occurs after the shared event on the path.
Synthesis observation equivalence does not allow local events after a controllable event. This condition can be further relaxed, allowing local events after controllable events, provided that it can be guaranteed that the states reached by the local transitions after a controllable event are all present in the synthesis result. Fig. 13 , with all events controllable and . An equivalence relation with and is a weak synthesis observation equivalence on , producing the abstraction . For example, states and can be equivalent as and , with no uncontrollable transitions from these paths. The nondeterminism in can be avoided using a renaming , which leads to the deterministic automaton in Fig. 13 . Both synthesis observation equivalence and weak synthesis observation equivalence can be used for abstraction steps in compositional synthesis. After computing an appropriate equivalence relation on a renamed automaton , the automaton can be replaced by its quotient . Theorem 9: [19] Let be a synthesis triple with and . Let such that . Let be a synthesis observation equivalence or a weak synthesis observation equivalence relation on with respect to such that is deterministic, and let . Then . Complexity: Observation equivalence-based abstractions can be computed in polynomial time. The time complexity to compute a bisimulation is [28] . Synthesis observation equivalence and weak synthesis observation equivalence are computed by a modified version of the same algorithm in and time, respectively [19] .
VI. COMPOSITIONAL SYNTHESIS ALGORITHM
Given a set of plant automata , the compositional synthesis algorithm repeatedly composes automata and applies abstraction rules. While doing so, it modifies a synthesis triple , collecting supervisors in and updating the renaming , and continues until only one automaton that cannot be further abstracted is left. Then a standard synthesis algorithm is used to compute a final supervisor from the remaining automaton. This principle, which is justified by Theorems 2 and 4, is shown in Algorithm 1. During each iteration of the main loop, a series of steps is applied to simplify the set of plant automata. First, line 4 applies selfloop removal to the entire plant according to Theorem 7. This quick operation improves the performance of the following steps.
Algorithm 1
The next step is to choose a subsystem of for simplification. If no automaton can be simplified individually, a group of automata is selected for composition. The method in line 5 selects an appropriate subsystem, which is then removed from and composed. Different methods to select this subsystem are available in the implementation.
After identification and composition of a subsystem, the set of local events is formed in line 8, which contains the events used only in the subsystem to be simplified. Based on the local events, the abstraction rules given in Theorems 5, 8, and 9 are applied in lines 9-12. Rules of lower complexity are applied first, so halfway synthesis is followed by bisimulation and weak synthesis observation equivalence, which are implemented according to [28] and [19] , respectively. If halfway synthesis produces a new supervisor, it is added to the set of supervisors. If weak synthesis observation equivalence results in a deterministic abstracted automaton, this automaton is added back into the set of uncontrolled plants.
Weak synthesis observation equivalence may also result in nondeterminism, if some states in an equivalence class have successor states reached by the same event, but belonging to different equivalence classes. In this case, a renaming is introduced. The method in line 16 replaces the events of any transitions causing nondeterminism in the abstracted automaton by new events and records the target states of these transitions. Using the recorded target states, the same modification to the corresponding transitions is applied to the original automaton . The method returns a renaming map , the deterministic abstracted automaton , and an appropriate distinguisher . In line 17, the inverse renaming is applied to the entire system and the collected supervisors , the abstracted automaton and the distinguisher are added to the resultant automata sets, and the renaming is updated to include . This is equivalent to the application of Theorem 6 followed by Theorem 9.
The loop terminates when the set of uncontrolled plants contains only a single automaton, which is passed to standard synthesis [1] in line 20. According to Theorem 4, the result is added to the set , which in combination with the final renaming gives the least restrictive, controllable, and nonblocking supervisor for the original system .
VII. EXPERIMENTAL RESULTS
The compositional synthesis algorithm has been implemented in the DES software tool Supremica [23] . The algorithm is completely automatic and does not use any prior knowledge about the structure of the system. The implementation has successfully computed supervisors for several large discrete event systems models. The test cases include the following complex industrial models and case studies, which are taken from different application areas such as manufacturing systems and automotive body electronics: Automated guided vehicle coordination based on the Petri net model in [30] . To make the example blocking in addition to uncontrollable, there is also a variant, , with an additional zone added at the input station.
Automated manufacturing system of the Atelier Interétablissement de Productique [31] .
Model of a production cell in a metal-processing plant from [32] .
Model of a toy railroad system based on [33] . Two versions present different control objectives.
Models of the central locking system of a BMW car. There are two variants, a three-door model , and a four-door model . These models are derived from the KORSYS project [34] .
Models of a cluster tool for wafer processing previously studied for synthesis in [5] .
Parameterized model of a manufacturing transfer line [2] with different numbers of serially connected cells.
All the test cases considered have at least reachable states in their synchronous composition and are either uncontrollable, blocking, or both. Algorithm 1 has been used to compute supervisors for each of these models. The algorithm is controlled by a state limit of 5000 states: if the synchronous composition of a subsystem in line 7 of Algorithm 1 exceeds 5000 states, that subsystem is discarded and another subsystem is chosen instead. All experiments have been run on a standard desktop PC using a single 2.66G Hz microprocessor.
The results of the experiments are shown in Table I . For each model, the table shows the number of automata (Aut), the number of reachable states (Size), and whether the model is nonblocking (Nonb.) or controllable (Cont.). Next, the table shows the size of the largest synchronous composition encountered during abstraction (Peak States), the total runtime (Time), the total amount of memory used (Mem.), the number of modular supervisors computed (Num.), and the number of states of the largest supervisor automaton (Largest). The table furthermore shows the number of events replaced by renaming (Ren.) and the number of events removed by selfloop removal (SR), and finally the number of states removed by halfway synthesis (HS), bisimulation (Bis.), and weak synthesis observation equivalence (WSOE).
All examples have been solved successfully in a few seconds or minutes, never using more than 1GB of memory.
To select a subsystem in line 5 of Algorithm 1, a strategy known as MustL [11] is used, which facilitates the exploitation of local events. For each event , a subsystem is formed by considering all automata with in the alphabet, so becomes a local event after composing the subsystem. This gives several candidate subsystems, one for each event, so a second step applies a strategy called MinSync, which chooses the subsystem with the smallest number of states in its synchronous composition. It is worth mentioning that other methods [11] , [35] for selecting subsystems give smaller supervisors for the , , and examples. However, persistently good results can be achieved for all the examples in this test with the MustL/MinSync strategy.
Fig. 14 shows some data concerning the performance of the abstraction rules. For each example, it shows the ratio of the number of states removed by each rule over the total number of states removed, and the ratio of the runtime consumed by each rule over the total runtime of all abstraction rules. The bars show the average of these ratios for models with 100-1000 cells. Particularly for large models, halfway synthesis and bisimulation run much faster than weak synthesis observation equivalence, as is expected from the higher complexity class. However, weak synthesis observation equivalence also has the highest percentage of states removed and typically contributes most of the states removed by abstraction. The data suggests a correlation between the percentage of runtime and the percentage of states removed by each rule. By this measure, the three abstraction rules have similar performance in practice. Fig. 15 shows the runtimes and supervisor sizes for instances of the transfer line example [2] with 100-1000 serially connected cells. Although the state space for these models grows exponentially, the cells are identical and the practical complexity of the system is small. Even with no knowledge of the symmetry of the model, the compositional synthesis algorithm successfully computes modular supervisors for transfer lines with up to 1000 serially connected cells. Table I shows that the algorithm never constructs a supervisor component with more than 79 states. Fig. 15 shows a linear relation between the number of connected cells and the total number of supervisor states. Moreover, the relation between the number of cells and the execution time is quadratic. This behavior is due to the complexity of evaluating and choosing subsystems from growing lists. This experiment shows that the compositional synthesis algorithm automatically discovers that the cells are identical and produces identical supervisors accordingly.
VIII. CONCLUSION
A general framework for compositional synthesis in supervisory control has been presented, which supports the synthesis of least restrictive, controllable, and nonblocking supervisors for large models consisting of several automata that synchronize in lock-step synchronization. The framework supports compositional reasoning using different kinds of abstractions that are guaranteed to preserve the final synthesis result, even when applied to individual components. Nondeterminism is avoided by renaming, which solves problems in previous related work. The computed supervisor has a modular structure in that it consists of several interacting components, which makes it easy to understand and implement. The algorithm has been implemented, and experimental results show that the method successfully computes nonblocking modular supervisors for a set of large industrial models.
In future work, the authors would like to extend the compositional synthesis algorithm to use the symmetric structure of parameterized system automatically in such a way that an abstraction computed for a single module can be reused. Furthermore, finite-state machines augmented with bounded discrete variables show good modeling potential, and it is of interest to adapt the described compositional synthesis approach to work directly with this type of modeling formalism.
