Abstract-Hierarchical Interface-based Supervisory Control (HISC) decomposes a discrete-event system (DES) into a highlevel subsystem which communicates with n ≥ 1 low-level subsystems, through separate interfaces which restrict the interaction of the subsystems. It provides a set of local conditions that can be used to verify global conditions such as nonblocking and controllability. The current HISC verification and synthesis algorithms are based upon explicit state and transition listings which limit the size of a given level to about 10 7 states when 1GB of memory is used.
I. INTRODUCTION
In the area of Discrete-Event Systems (DES), two common tasks are to verify that a composite system, based on a cartesian product of subsystems, is (i) nonblocking and (ii) controllable. The main obstacle to performing these tasks is the combinatorial explosion of the product state space.
The Hierarchical Interface-based Supervisory Control(HISC) framework was proposed by Leduc et al. in [7] - [11] to alleviate the state explosion problem. The HISC approach decomposes a system into a high-level subsystem which communicates with n ≥ 1 parallel lowlevel subsystems through separate interfaces that restrict the interaction of the subsystems. This structure permits the derivation of a set of local consistency properties that can be used to verify if a discrete-event system is globally nonblocking and controllable. Each of these consistency properties can be verified using a single subsystem and its interface(s); thus the complete system model never needs to be stored in memory or traversed, offering potentially significant savings in computational resources.
In [4] , Dai and Leduc introduced a HISC based synthesis method that replaced each level's supervisor with a corresponding specification DES, and then does a per level synthesis to construct for each level a maximally permissive supervisor that satisfies the corresponding HISC conditions. However, both the HISC synthesis and verification method are based upon explicit state and transition listings which limit the size of a given level to about 10 7 states when 1GB of memory is used.
As each subsystem in HISC is typically modeled as a group of plant DES and a group of specification/supervisor DES, each subsystem-wide state can be represented as a vector, where each element of the vector is the state of a component DES. Therefore, we can use Binary Decision Diagrams (BDD: [2] , [6] ) to represent the state space and transitions for each subsystem, and develop algorithms based on BDD representations to verify or synthesize supervisors for our HISC system. As we will see, by using BDD representation and algorithms we will be able to handle much larger subsystems, allowing HISC to be applied to even larger systems.
Using IDD (Integer Decision Diagram, an extension of BDD) to verify and synthesis flat DES have previously been investigated by Zhang et al [18] , while Vahidi et al [15] have investigated applying BDD to flat systems.
Ma et al [12] , [13] presented a top-down multi-level design model called State Tree Structures (STS), which was initiated in [16] by using the idea of state charts [5] . Ma used BDD based algorithms that allowed him to model and synthesize a state-based supervisor for a system with an estimated statespace on the order of 10 24 . In this paper, we first discuss DES and predicate preliminaries, and then introduce the HISC approach in Sections III-IV. As the HISC method has already been explained and justified in detail in [10] , [11] , and [8] , we will only discuss it briefly here. For a small illustrative HISC example, please see [10] .
For the remainder of the paper we will be presenting our new results from [14] , beginning with the predicate based fixed point operators we developed. They allow us to do a per level synthesis to construct for each level a maximally permissive supervisor that satisfies the corresponding HISC conditions. We prove that these fixpoint operators compute the required level-wise supremal languages.
We then present algorithms that implement the fixpoint operators. We also briefly discuss a predicate based HISC verification method derived from the synthesis method. Based on these algorithms, a symbolic implementation is briefly discussed which can be implemented using Binary Decision Diagrams.
We next discuss a method to implement our synthesized supervisors in a more compact manner. Finally, we discuss a large manufacturing example (estimated worst case statespace on the order of 10 30 ) extended from the AIP example in [7] , [8] . The example demonstrates the improved scalability that our symbolic approach offers.
II. PRELIMINARIES
Supervisory control theory provides a framework for the control of discrete-event systems (DES), systems that are discrete in space and time. For a detailed exposition of DES, see [17] . Below, we present a summary of the terminology that we use in this paper.
A. DES
Let Σ be a finite set of distinct symbols (events), and Σ * be the set of all finite sequences of events, including , the empty string. Let L ⊆ Σ * be a language over Σ. A string
is defined as L = {t ∈ Σ * | t ≤ s for some s ∈ L}. Let Pwr(Σ) denote the power set of Σ (i.e. all possible subsets of Σ).
A DES automaton is represented as a 5-tuple G = (Y, Σ, δ, y o , Y m ) where Y is the state set, Σ is the event set, the partial function δ : Y × Σ → Y is the transition function, y o is the initial state, and Y m is the set of marker states. The function δ is extended to δ : Y ×Σ * → Y in the natural way. The notation δ(y, s)! means that δ is defined for s ∈ Σ * at state y. For DES G, the language generated is denoted by L(G), and is defined to be L(
The reachable state subset of DES G, denoted Y r , is:
We say the DES is trim if it is both reachable and coreachable. We will always assume that a DES has a finite state and event set and is deterministic.
Let
2 . For i = 1, 2, s ∈ Σ * , and σ ∈ Σ, we define the natural projection P i : Σ * → Σ * i according to:
The synchronous product of languages L 1 and L 2 , denoted L 1 ||L 2 , is defined to be:
The synchronous product of DES
, is defined to be a reachable DES G with and event set Σ = Σ 1 ∪ Σ 2 and properties:
This is equivalent to saying that every reachable state is also coreachable. We say that DES G represents a language
For G 1 and G 2 , if Σ 1 = Σ 2 we can define the product of the two DES as:
B. Predicates and Predicate Transformers
We only give a brief introduction here. Please refer to [14] for more details.
Let G = (Q, Σ, δ, q 0 , Q m ) be a DES. A predicate P defined on Q is a function P : Q → {1, 0}. P is identified by a corresponding state subset Q P := {q ∈ Q|P (q) = 1} ⊆ Q. If q ∈ Q P , we write q |= P and say q satisfies P . We write P red(Q) for the set of all predicates defined on Q. For predicates P 1 and P 2 , we define
The two special predicates true and false are identified by Q and ∅, respectively. The predicate P m is identified by Q m . If Q is understood, for Q 1 ⊆ Q, denote the predicate identified by Q 1 as pr(Q 1 ).
A predicate transformer is a function f : P red(Q) → P red(Q). We now introduce several predicate transformers for P ∈ P red(Q) which will be used later on. See [14] for more formal definitions.
• The reachability predicate R(G, P ) is defined to hold precisely on those states that can be reached in G from q 0 via states satisfying P.
• The coreachability predicate CR(G, P ) is defined to hold precisely on those states that can reach a marker state in G via states satisfying P.
• With G and Σ ⊆ Σ fixed, T R(G, P, Σ ) is defined to hold precisely on those states that can reach a state satisfying P in G only via transitions with events in Σ .
• With DES G, P ∈ P red(Q) and Σ ⊆ Σ fixed, CR(G, P , Σ , P ) is defined to hold precisely on those states that can reach a state satisfying P in G via states satisfying P and transitions with events in Σ .
Finally, for P ∈ P red(Q) we define L(G, P ) to be the closed language induced by P as L(G, P ) :
III. HISC OVERVIEW An HISC system currently is a two-level system which includes one high-level subsystem and n ≥ 1 low-level subsystems. The high-level subsystem communicates with each low-level subsystem through a separate interface. We will also refer to the high-level or a given low-level as a module.
In order to restrict the information flow at the interface, the system alphabet is partitioned into pairwise disjoint alphabets:
The events in Σ H are high-level events and the events in Σ L low-level events as these events appear only in the high-level and low-level subsystems, respectively. As the interface is only concerned with communication between the two subsystems, it only contains events that are common to both levels of the hierarchy, Σ R∪ Σ A , which are collectively known as the set of interface events, denoted Σ I . The events in Σ R , called request events, represent commands sent from the high-level subsystem to the low-level subsystem. The events in Σ A are answer events and represent the low-level subsystem's responses to the request events.
In the remainder of this paper, j is always an index with range {1, . . . , n}. The high-level subsystem is modeled by DES G H , which is the product of the high-level plant G p H and the high-level supervisor S H (both are defined over event set Σ H∪ (∪ k∈{1,...,n} [Σ R k∪ Σ A k ])). The j th low-level subsystem is modeled by DES G Lj , which is the product of the j th low-level plant G p Lj and the j th low-level supervisor S Lj (both are defined over event set Σ Lj∪ Σ Rj∪ Σ Aj ), and the j th interface is modeled by G Ij (defined over event set Σ Rj∪ Σ Aj ). The overall system structure is shown in Figure 1 .
For controllability, the event set Σ is also partitioned as Σ = Σ c∪ Σ u , where Σ c is the controllable event set and Σ u is the uncontrollable event set. We refer to DES G H := G H G I1 . . . G In as the high-level and DES G Lj := G Ij G Lj as the j th low-level. For convenience, the following event sets are also defined:
The interface DES ensures that communication occurs between levels in a serial fashion. A request from the highlevel is followed by an answer from the low-level before the next request is issued to the low-level subsystem. To enforce such a mechanism, the interface DES is required to be a command-pair interface as defined below.
Definition 1: For the n th degree interface system composed of plant components 
Therefore, both PLANT and SUP are defined over event set Σ. The whole flat system is the product of the flat supervisor and the flat plant: SYSTEM := SUP × PLANT We want to ensure SYSTEM satisfies:
IV. LOCAL CONDITIONS
We now present a set of local properties that will allow us to verify the global properties of controllability and nonblocking. The conditions here are based on [8] and [9] . Please refer to them for a more detailed discussion.
To make our discussion of synthesis simpler later, we wish to express our high-level and low-level as product DES. To do this, we need to extend 1 the event sets of the interfaces. Definition 2: For the n th degree interface system that respects the alphabet partition given by (1) and is composed of plant components
We now present the properties that the system must satisfy to ensure that it interacts with the interfaces correctly. This definition is a bit different from the one presented in [8] , but equivalent as we will show. We use it as it makes our proofs easier. •
Definition 3 is equivalent to the interface consistency definition from [8] .
Proof: See proof in [14] . The next definition ensures that each module is locally nonblocking.
Definition 4: The n th degree interface system composed of plant components
. . , S Ln , and interfaces G I1 , . . . , G In is said to be level-wise nonblocking with respect to the alphabet partition given by (1) , if the following two conditions are satisfied:
. . , S Ln , and interfaces G I1 , . . . , G In , is level-wise nonblocking and interface consistent with respect to the alphabet partition given by (1), then 
In [7] , [8] , [10] , [11] , the supervisors in an HISC system were designed by hand, and then the system was checked to see if it was interface consistent, level-wise controllable and nonblocking. If not, it was modified by the designer until it was. However, for a complicated system it is very desirable to synthesize the supervisors from specifications. In this section, we will discuss how to construct supervisors whose marked languages are supremal controllable sublanguages of a set of per module specifications that satisfies the HISC conditions for the given high or low-level. We say such supervisors are locally maximally permissible for their level. We will then give predicate based algorithms. The algorithms can easily be implemented by using BDD.
In the previous section, we specified that a n th degree interface system is composed of plants, supervisors and interfaces. For synthesis, we will assume that our interface system is composed of plants, specifications and interfaces. Essentially, we will replace the high-level supervisor S H by a specification DES E H (defined over Σ IH ), and for all j ∈ {1, . . . , n}, we will replace the j th low-level supervisor S Lj by a specification DES E Lj (defined over Σ ILj ). We will refer to such a system as a n th degree specification interface system, and call the original system with supervisors a n th degree supervisor interface system. We will refer to a system as a n th degree interface system when we do not wish to make a distinction.
For clarity, we now interpret some definitions used in the previous section in terms of a n th degree specification interface system.
We now give the starting point for the synthesis process. These are conditions the system must meet as a minimum, and correspond to parts of the interface consistency and levelwise controllability definitions that can not be corrected (if the system fails to satisfy these conditions) in the synthesis process that we will present. 
3) G Ij is a command-pair interface.
Let Φ be a n th degree HISC-valid specification interface system that respects the alphabet partition given by (1) As the predicate algorithms will operate on the states of the DES, we give the tuple definitions for the following DES for later reference:
A. High-level Supervisor Synthesis
In this section, we show how to synthesize a locally maximally permissible high-level supervisor for the system Φ. Below are the properties the marked language of our highlevel supervisor must satisfy for HISC. They correspond to point 3 of Defn. 3 and point 3 of Defn. 5.
Definition 7: For system Φ, let K ⊆ Σ *
IH . K is highlevel interface controllable(HIC) with respect to Φ if for all
Clearly, the empty language ∅ is HIC with respect to Φ.
For an arbitrary language E ⊆ Σ * IH , we define the set of all sublanguages of E that are HIC with respect to Φ as C H (E) := {K ⊆ E|K is HIC with respect to Φ.} Proposition 2: For system Φ, C H (E) is nonempty and is closed under arbitrary unions. In particular, C H (E) contains a (unique) supremal element, denoted sup C H (E).
Proof: See proof in [14] . For system Φ, if we compute sup C H (L m (G H )), then a DES representing this sublanguage is a locally maximally permissible high-level supervisor. As the supervisor would be nonblocking, our new system would thus also satisfy point 1 of Defn. 4.
To compute sup C H (L m (G H )), we want to define a suitable fixpoint operator. For function f : X → X where X is an arbitrary set, an element x ∈ X is a fixpoint of f if x = f (x). We will also use the notation f k (x), k ∈ {0, 1, . . .}, to mean k applications of f in a row with f 0 (x) := x. If we were defining a function that would operate on a language K ∈ P wr(Σ * IH ), we would want it to evaluate:
However, we need a predicate based operator that we can apply to the states of our system. Let P red(Q H ) be the set of all predicates on Q H , the state set of G H . For any q ∈ Q H , as
Ij there must exist unique z ∈ Z H , y ∈ Y H and x ∈ X h such that q = (z, y, x). For state x ∈ X h , there must also exist unique x 1 ∈ X h 1 , . . . , x n ∈ X h n such that x = (x 1 , . . . , x n ). For P ∈ P red(Q H ), we now show how to compute sup C H (L (G H , P ) ).
Definition 8: For system Φ, define the function PHIC : P red(Q H ) → P red(Q H ) for P ∈ P red(Q H ) as:
where
We show in [14] for arbitrary
We now provide a predicate based method to compute
Proposition 3: For system Φ, the following holds:
Proof: See proof in [14] .
The Algorithm to Compute sup C H (L m (G H ))
We now put everything together for the high-level and construct our algorithm.
Definition 9: For system Φ, define the function Γ H : P red(Q H ) → P red(Q H ) according to (∀P ∈ P red(Q H )) Γ H (P ) := CR(G H , PHIC(P )) Theorem 3: For system Φ, the following two points hold: 1) There exists k ∈ {0, 1, 2, . . .} such that k ≤ |Q H | and Γ k H (true) is the greatest fixpoint of the function
Proof: See proof in [14] . We can thus take our high-level supervisor to be S H defined over event set Σ IH , with 
B. Low-level Supervisor Synthesis
In this section, we show how to synthesize a locally maximally permissible j th low-level supervisor for the system Φ. We first only discuss part of the conditions (ones similar to the high-level conditions) that the marked language of our j th low-level supervisor must satisfy for HISC. They correspond to point 4 of Defn. 3 and point 2 of Defn. 5.
Definition 10: Let K ⊆ Σ * ILj . K is j th low-level P4 interface controllable (LPC j ) with respect to Φ if the following conditions are satisfied: 
For an arbitrary language E ⊆ Σ * ILj , we define the set of all sublanguages of E that are LPC j with respect to Φ as LPC j (E) := {K ⊆ E |K is LPC j with respect to Φ.} Proposition 4: For system Φ, LPC j (E) is nonempty and is closed under arbitrary unions. In particular, LPC j (E) contains a (unique) supremal element, denoted sup LPC j (E).
Proof: See proof in [14] . Let P red(Q Lj ) be the set of all predicates on Q Lj , the state set of G Lj . For any q ∈ Q Lj , as G Lj = S Lj × G Lj × G l Ij , there must exist z ∈ Z Lj , y ∈ Y Lj and x ∈ X l j such that q = (z, y, x).
Definition 11: For system Φ, define the function PLPC j : P red(Q Lj ) → P red(Q Lj ) for P ∈ P red(Q Lj ) as:
We now add the remaining low-level conditions, namely points 5 and 6 of Defn. 3.
Definition 12: Let K ⊆ Σ * ILj . K is j th low-level interface controllable (LIC j ) with respect to Φ if the following conditions are satisfied:
Clearly, the empty language ∅ is LIC j with respect to Φ. For an arbitrary language E ⊆ Σ * ILj , we define the set of all sublanguages of E that are LIC j with respect to Φ as C Lj (E) := {K ⊆ E|K is LIC j with respect to Φ } Proposition 5: For system Φ, C Lj (E) is nonempty and is closed under arbitrary unions. In particular, C Lj (E) contains a (unique) supremal element, denoted sup C Lj (E).
Proof: See proof in [14] . For system Φ, if we compute sup C Lj (L m (G Lj )) then a DES representing this sublanguage is a locally maximally permissible j th low-level supervisor. As the supervisor would be nonblocking, our new system would thus satisfy point 2 of Defn. 4 for this value of j.
To compute sup C Lj (L m (G Lj )), we need to define a suitable predicate based fixpoint operator. For a given predicate P ∈ P red(Q Lj ), we already know how to compute sup LPC j (L(G Lj , P )). We now need to to develop operators to handle points 5-6 of Defn. 3. As we want to intersect the resulting language with L m (G Lj ), we can achieve this in a similar manner to what was used in Proposition 3.
Definition 13: For system Φ, define the function Γ p5j : P red(Q Lj ) → P red(Q Lj ) for P ∈ P red(Q Lj ) as:
Algorithm 2 shows how to compute Γ p5j (P ) for arbitrary P ∈ P red(Q Lj ).
Algorithm 2 Γ p5j (P )
1: P bad5 ← false; 2: for each α ∈ Σ Aj do 3:
for each ρ ∈ Σ Rj do 6:
end for 8: end for 9: return P − P bad5 ; Definition 14: For system Φ, define the function Γ p6j : P red(Q Lj ) → P red(Q Lj ) for P ∈ P red(Q Lj ) as: We now put everything together for the j th Low-level and construct our algorithm.
Definition 15: For system Φ, define the function Γ Lj : P red(Q Lj ) → P red(Q Lj ) for P ∈ P red(Q Lj ) as:
Theorem 4: For system Φ, the following two points hold: 1) There exists k ∈ {0, 1, 2, . . .} such that k ≤ |Q Lj | and Γ k Lj (true) is the greatest fixpoint of the function
Proof: See proof in [14] . We can thus take our j th low-level supervisor to be 
P 1 ← Γ p5j (P 1 ); 7:
P 1 ← CR(G Lj , P 1 ); 9: until P 1 = P 2 10: return P 1 ;
Line 5 computes PLPC j (P 1 ). Line 7 computes Γ p6j (P 1 ). Line 8 calculates the coreachable states under P 1 .
VI. VERIFICATION OF HISC
We have also developed a method to verify a n th degree supervisor interface system, based on the synthesis algorithms we have presented. The method treats all the supervisors as their corresponding specifications and then applies the synthesis algorithm to the system (assuming that it is HISC-valid). If there are no reachable states that must be removed from G H , or G Lj (j ∈ {1, . . . , n}) after the first pass, then the system is interface consistent, levelwise nonblocking, and level-wise controllable. We note that typically the verification process is faster and uses less memory than synthesis, meaning that we can usually verify larger systems than we can apply synthesis to. We refer the reader to [14] for the algorithm details.
VII. SYMBOLIC COMPUTATION FOR HISC SYNTHESIS
AND VERIFICATION The efficiency of our HISC synthesis and verification is dominated by the computation of the four predicate transformers: R, CR, T R and CR. We have developed a method to use logic formulas to represent state subsets and transitions in a system, and then used these formulas to compute the predicate transformers discussed above as well as other miscellaneous conditions needed to verify/synthesize an HISC system. We have also developed a method of using Reduced Ordered Binary Decision Diagram [2] , [6] to implement the above logic formula based algorithms. The BDD software package we used is BuDDy 2.4 developed by Jørn Lind-Nielsen. To achieve this, we drew heavily on the work of Ma [13] . Please refer to [14] for details.
VIII. CONTROLLER IMPLEMENTATION
For system Φ defined in Section V, we showed that we could synthesize locally maximally permissible supervisors for each level, namely S H and S Lj (j ∈ {1, . . . , n}).
However, these automata-based supervisors could easily be very large (S H , in the AIP example in the next section, has a state space on the order of 10 15 ), making them difficult to implement as controllers directly. We now briefly discuss an alternate implementation method that will typically be more practical.
For the system Φ, let P H be the resulting predicate from Algorithm 1, and P Lj be the resulting predicate from Algorithm 3. Let Q be the statespace of the synchronous product of all the DES in system Φ. This means that a state q ∈ Q can be represented as a tuple q := (z H , y H , z L1 , . . . , z Ln , y L1 , . . . , y Ln , x 1 , . . . , x n ). (2) From the synthesis algorithms, we know that S H can be obtained by trimming off states that do not satisfy P H from the high-level G H , and S Lj can be obtained by trimming off states that do not satisfy P Lj from the j th low-level G Lj . We show in [14] that we can express the appropriate control action for each state q ∈ Q as a per event predicate local to a particular level.
For each j ∈ {1, . . . , n}, σ
For instance, for q ∈ Q and σ ∈ Σ c ∩ (Σ Lj ∪ Σ Aj ), if f Lj σ (z Lj , y Lj , x j ) = 1, then σ should be enabled at state q. Each predicate can be represented as a BDD, and typically the BDD is much smaller than the corresponding automata supervisors. To obtain the state information q, we could have an observer for each component of system Φ (ie. for G p H , E H etc.). As each component is typically the synchronous product of other DES, the size of the observer for each DES needed is likely to be quite small. For examples, see the AIP example in [14] . Figure 2 shows the structure of our implementation, with k H , k 1 , . . . k n ∈ {0, 1, . . .}. The top box represents our observers which provide the state information for our predicates. The enablement information is then sent to the plant.
IX. THE AIP EXAMPLE
To demonstrate the utility of our method, we applied it to a large manufacturing system, the Atelier Inter-établissement de Productique (AIP) as described in [1] , [3] . The AIP system includes a central loop (CL) conveyor, four external loop (EL) conveyors, 4 transport units (TU) (each moves pallets between CL and a specific EL), an assembly station (AS) at EL1, 2 and 3, and an Input/Output (I/O) station at EL4 (allows pallets to enter/leave system). We will only briefly introduce this example. Please see [14] for complete details.
In [7] , [8] , Leduc et al modelled the AIP as an HISC system. Using their algorithms based upon explicit state and 6 states, satisfied the HISC conditions. Using our BDD based algorithms, it took us 2 seconds and an estimated 30MB.
We then extended the AIP example of [7] , [8] by modelling how pallets move around the system. For example, a pallet can't reach an assembly station until it is transported from the central loop to the section of the external loop leading to the station. We also enforced capacity restrictions on each loop section as follows: maximum four pallets at a time in a given section of the CL, and five pallets at a time for a section of an EL. This was not originally modelled by Leduc et al as it made the high level too large for their software to handle.
To verify the system, we needed to add an additional supervisor that restricted the number of pallets in the system (excluding EL4) to 15, to prevent the system from blocking. The system was verified on a 2.8 GHz Pentium 4 CPU, with 512MB memory, running Fedora Core 2. It used less than 160MB of RAM, took 25.7 minutes to verify that the highlevel HISC conditions were satisfied and less than 1 second to verify that the low-level HISC conditions were satisfied for each low-level. The reachable state space for the highlevel was 5.16 × 10 13 , and the total estimated worst case reachable statespace size was 7.04 × 10 28 . A flat verification with our BDD tool quickly used up all available RAM, and had failed to complete after 24 hours.
We then removed the "15 pallets in system" supervisor, and performed a HISC synthesis. Our BDD tool used less than 160MB of RAM, took 128 minutes to synthesize a high-level supervisor, and less than 1 second to synthesize each low-level supervisor. The reachable state space for the high-level was 1.14 × 10 15 , and the total estimated worst case reachable state space was 1.51 × 10
30 . This is a clear improvement over previous HISC algorithms from [4] , [10] , [11] .
X. CONCLUSIONS
In this paper, we have developed a predicate based synthesis and verification method for systems modelled using Hierarchical Interface-based Supervisory Control. Combined with symbolic methods implemented using binary decision diagrams, we are now able to handle HISC systems with individual levels significantly larger than methods based upon explicit state and transition listings. In the AIP example investigated, we saw an increase of eight orders of magnitude. This allows us to handle much larger systems.
