On Compositional Supervisor Synthesis for Discrete Event Systems by Mohajerani, Sahar
≃synth
On Compositional Supervisor Synthesis
for Discrete Event Systems
Sahar Mohajerani
Department of Signals and Systems
chalmers university of technology
Göteborg, Sweden 2012

Thesis for the degree of Licentiate of Engineering
On Compositional Supervisor Synthesis
for Discrete Event Systems
by
Sahar Mohajerani
Department of Signals and Systems
Automation Group
Chalmers University of Technology
Göteborg, Sweden 2012
On Compositional Supervisor Synthesis for Discrete Event Systems
Sahar Mohajerani
This thesis has been prepared using LATEX.
Copyright c© Sahar Mohajerani, 2012.
All rights reserved.
Technical Report No. R001/2012
School of Electrical Engineering
Chalmers University of Technology
ISSN 1403-266X
Department of Signals and Systems
Automation Group
Chalmers University of Technology
SE-412 96 Göteborg, Sweden
Phone: +46 (0)31 772 1000
E-mail: mohajera@chalmers.se
Printed by Chalmers Reproservice
Göteborg, Sweden, March 2012
To Ali & Marzieh
and the memory of Farideh

Abstract
Over the past decades, human dependability on technical devices has rapidly
increased. Many activities of such devices can be described by sequences of
events, where the occurrence of an event causes the system to go from one
state to another. This is elegantly modeled by automata. Systems that are
modeled in this way are referred to as discrete event systems. Many of these
systems appear in settings that are safety critical, and small failures may
result in huge financial and/or human losses. Having a control function is
one way to guarantee system correctness.
Supervisory control theory, proposed by Ramadge and Wonham, provides
a general framework to automatically calculate control functions for discrete
event systems. Given a model of the system, the plant, to be controlled,
and a specification of the desired behaviour, it is possible to automatically
compute, i.e. synthesise, a supervisor that ensures that the specification is
satisfied.
Usually, systems are modular and consist of several components inter-
acting with each other. Calculating a supervisor for such a system in the
standard way involves constructing the complete model of the considered
system which may lead to the inherent complexity problem known as the
state-space explosion problem. This problem occurs when composition of
the components results in a model with a huge number of states, as the
number of states grows exponentially with the number of components. This
problem makes it intractable to examine the states of a system due to lack
of memory and time.
This thesis uses a compositional approach to alleviate the state-space ex-
plosion problem. A compositional approach exploits the modular structure
of a system to reduce the size of the model of the system. The thesis mainly
focuses on developing the methodology for abstracting a system in a way
that the final synthesis result is the same as it would have been for the non-
abstracted system. The algorithms have been implemented in the discrete
event system software tool Supremica and have been applied to compute
modular supervisors for several large industrial models.
Keywords: Finite-state automata, abstraction, synthesis, supervisory con-
trol theory.
i

Acknowlegments
During the past two years of being Ph.D student, I have met many great
people who in one way or another have helped me. I really like to mention
everybody’s name, but the space does not let me.
First of all my deepest gratitude goes to my supervisor Martin Fabian.
Without your great support, encouragement and invaluable supervision this
work would not be possible. You believed in me, even when I myself did not,
and I can never thank you enough for that.
I also had the greatest pleasure to work with Robi Malik. You made the
time I spent in New Zealand a wonderful time and that was the beginning
of a very inspiring collaboration that has been continued for almost one year
now. Thank you so much Robi for everything.
I am also grateful to Bengt Lennartson, the head of the automation group
and all my colleagues and friends at the department specially people at the di-
vision of Automatic control, Automation and Mechatronics for all the cheer-
ful memories and making the division a delightful place to work. Especially I
would like to thank my two office roommates Zhennan and Patrik for all their
help. Thanks to Sajed, Roozbeh, Mitra, Nina, Oskar and Mona for all the
enjoyable “fikas”. On the administrative side I would like to thank Madeleine
Parsson, Agneta Kinnander and Lars Börjesson for being so helpful.
Finally I would like to thank my friends Azin, Arash, Sogol, Tohid, Laleh,
Nima, Maryam and Aidin who always have helped me and cheered me up
when I was down. Most importantly I would like to thank my family. Special
thanks to my mother for her unlimited love and to my sisters and brother,
you guys are amazing. And of course, I owe my heartfelt gratefulness to my
love Ali. You were always there for me and supported me no matter what.
From the bottom of my heart thank you!
Sahar Mohajerani
Göteborg, March 2012
iii
iv
List of appended papers
Paper I
Mohajerani, Sahar; Malik, Robi; Ware, Simon; Fabian, Martin: On the
Use of Observation Equivalence in Synthesis Abstraction. In Proceedings
of the 3rd International Workshop on Dependable Control of Discrete Sys-
tems(DCDS’11), June 2011, Saarbru¨cken, Germany.
Paper II
Mohajerani, Sahar; Malik, Robi; Fabian, Martin: Nondeterminism Avoid-
ance in Compositional Synthesis of Discrete Event Systems. In Proceedings
of IEEE Conference on Automation Science and Engineering 2011(CASE’11),
pp. 19-24, August 2011, Trieste, Italy.
Paper III
Mohajerani, Sahar; Malik, Robi; Fabian, Martin: Compositional Synthesis
of Modular Supervisors Using Synthesis Equivalence. Submitted to IEEE
Transaction on Automatic Control, 2012.
Other publications
The following papers are not included in this thesis due to overlap with the
appended papers;
Paper IV
Mohajerani, Sahar; Malik, Robi; Ware, Simon; Fabian, Martin: THREE
VARIATIONS OF OBSERVATION EQUIVALENCE PRESERVING SYN-
THESIS ABSTRACTION . Göteborg : Chalmers University of Technology.
(R - Department of Signals and Systems, Chalmers University of Technol-
ogy;R008/2011 )
v
Paper V
Mohajerani, Sahar; Malik, Robi; Ware, Simon; Fabian, Martin: Composi-
tional Synthesis of Discrete Event Systems Using Synthesis Abstraction. In
Proceedings of the 23rd Chinese Control and Decision Conference, May 2011,
Mianyang, China.
vi
Contents
Abstract i
Acknowledgments iii
List of publications v
Contents vii
Part I: Introductory Chapters xi
1 Introduction 1
1.1 Problem Statement . . . . . . . . . . . . . . . . . . . . . . . . 2
1.2 Main Contributions . . . . . . . . . . . . . . . . . . . . . . . . 3
1.3 Outline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
2 Preliminaries 5
2.1 Modeling Formalism . . . . . . . . . . . . . . . . . . . . . . . 5
2.1.1 Finite Automata . . . . . . . . . . . . . . . . . . . . . 5
2.1.2 Events and Languages . . . . . . . . . . . . . . . . . . 8
2.2 Equivalence Relation . . . . . . . . . . . . . . . . . . . . . . . 8
3 Supervisory Control Theory 11
3.1 Requirements for Supervisors . . . . . . . . . . . . . . . . . . 12
3.1.1 Nonblocking . . . . . . . . . . . . . . . . . . . . . . . . 12
3.1.2 Controllability . . . . . . . . . . . . . . . . . . . . . . . 12
3.1.3 Least Restrictiveness . . . . . . . . . . . . . . . . . . . 13
3.2 Synthesis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
3.2.1 Synthesis Algorithm . . . . . . . . . . . . . . . . . . . 13
vii
3.3 Translation of Specifications to Plants . . . . . . . . . . . . . . 14
3.3.1 Translated Specifications vs Forbidden States . . . . . 16
3.3.2 Need for Transforming Specifications to Plants . . . . . 16
3.3.3 Modular Approach and Forbidden States . . . . . . . . 17
4 Compositional Synthesis 21
4.1 General Compositional Approach . . . . . . . . . . . . . . . . 22
4.1.1 Local Events . . . . . . . . . . . . . . . . . . . . . . . 22
4.2 Equivalence Relations . . . . . . . . . . . . . . . . . . . . . . . 24
4.2.1 Supervision Equivalence . . . . . . . . . . . . . . . . . 24
4.2.2 Synthesis Abstraction . . . . . . . . . . . . . . . . . . . 25
4.2.3 Renaming and Synthesis Equivalence . . . . . . . . . . 27
4.3 Abstraction Methods Preserving Synthesis Equivalence . . . . 29
4.3.1 Observation Equivalence . . . . . . . . . . . . . . . . . 31
4.3.2 Selfloop Removal . . . . . . . . . . . . . . . . . . . . . 35
4.3.3 Halfway Synthesis . . . . . . . . . . . . . . . . . . . . . 36
4.3.4 Partial Supervisors . . . . . . . . . . . . . . . . . . . . 37
4.4 Experimental Results . . . . . . . . . . . . . . . . . . . . . . . 37
4.4.1 Test Examples . . . . . . . . . . . . . . . . . . . . . . 38
4.4.2 Heuristics . . . . . . . . . . . . . . . . . . . . . . . . . 39
4.4.3 Results . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
5 Summary of Included Papers 43
6 Concluding Remarks and Future Work 45
References 47
Part II: Publications 51
Paper I: On the Use of Observation Equivalence in Synthesis
Abstraction 53
Abstract . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
2 Preliminaries and Notation . . . . . . . . . . . . . . . . . . . . 56
2.1 Events and Languages . . . . . . . . . . . . . . . . . . 56
2.2 Nondeterministic Automata . . . . . . . . . . . . . . . 57
2.3 Supervisory Control Theory . . . . . . . . . . . . . . . 58
3 Compositional Synthesis . . . . . . . . . . . . . . . . . . . . . 60
3.1 General Compositional Approach . . . . . . . . . . . . 60
3.2 Synthesis Abstraction . . . . . . . . . . . . . . . . . . . 60
viii
4 Methods of Abstraction . . . . . . . . . . . . . . . . . . . . . 61
4.1 Observation Equivalence . . . . . . . . . . . . . . . . . 61
4.2 Bisimulation . . . . . . . . . . . . . . . . . . . . . . . . 62
4.3 Uncontrollable Observation Equivalence . . . . . . . . 63
4.4 Synthesis Observation Equivalence . . . . . . . . . . . 64
4.5 Relationship to Projection . . . . . . . . . . . . . . . . 65
5 Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
6 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
References. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Paper II: Nondeterminism Avoidance in Compositional Synthe-
sis of Discrete Event Systems 73
Abstract . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
2 Preliminaries and Notation . . . . . . . . . . . . . . . . . . . . 76
2.1 Events and Languages . . . . . . . . . . . . . . . . . . 76
2.2 Nondeterministic Automata . . . . . . . . . . . . . . . 77
2.3 Supervisory Control Theory . . . . . . . . . . . . . . . 78
3 Renaming in Compositional Synthesis . . . . . . . . . . . . . 79
3.1 General Compositional Approach . . . . . . . . . . . . 80
3.2 Renaming . . . . . . . . . . . . . . . . . . . . . . . . . 81
3.3 Renaming and Compositional Synthesis . . . . . . . . . 83
3.4 Abstractions Preserving Synthesis Equivalence . . . . . 84
4 Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
5 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
References. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Paper III: Compositional Synthesis of Modular Supervisors Us-
ing Synthesis Equivalence 93
Abstract . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
2 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
2.1 Events and Languages . . . . . . . . . . . . . . . . . . 97
2.2 Finite-State Automata . . . . . . . . . . . . . . . . . . 97
2.3 Supervisory Control Theory . . . . . . . . . . . . . . . 98
3 Compositional Synthesis . . . . . . . . . . . . . . . . . . . . . 101
4 Synthesis Triple Rewrite Operations . . . . . . . . . . . . . . . 106
4.1 Synchronous Composition, Renaming, Selfloop Removal 106
4.2 Observation Equivalence . . . . . . . . . . . . . . . . . 107
4.3 Halfway Synthesis . . . . . . . . . . . . . . . . . . . . . 111
5 Experimental Results . . . . . . . . . . . . . . . . . . . . . . . 112
ix
6 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
References. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
Appendices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
A Proofs for Renaming and Selfloop Removal . . . . . . . 122
B Proof of Synthesis Observation Equivalence . . . . . . 125
C Proof for Halfway Synthesis . . . . . . . . . . . . . . . 130
x
Part I
Introductory Chapters
xi

Chapter 1
Introduction
The modern human being is a hybrid of a traditional homo-sapiens with
fancy electronic gadgets. We use a electronic devices everyday, and it seems
we are never more than a meter away from our cellphones. These devices
are designed to help us live our lives easier, and one of our most impor-
tant requirements on them is consistency. We expect the devices to work in
a certain way when we provide them with a certain input. In engineering
terms, everything between the input that we provide and the output we see
is broadly termed a system. The coffee machine, the printer and industrial
robots are some examples of systems.
When dealing with different systems, many questions about the proper-
ties of systems arises. For example in the case of a mobile phone one may
wonder: what will happen if I push a specific button? For a nuclear plant
a question could be: What will happen if a nuclear reactor core becomes
too hot? Experimentation is one way to answer these kind of questions. In
many cases, experiments are very expensive or could even be dangerous. An
alternative to answer such questions is to model the systems behaviour.
Modeling can be viewed in two perspectives. In the first point of view,
using physical knowledge, mathematical equations that describe the output
of a system given an input is derived. Newton’s law, gravity laws and dif-
ferential equations are some tools used in this context. The other way of
viewing system modeling is to describe a system behaviour by sequences of
events, where the occurrence of an event causes the system to go from one
state to another. The tools to model the behaviour of such systems are
events and states. For example, when a coffee machine is out of coffee beans,
it goes from a working state to an idle state, and becoming out of beans is
the event. Such system models are referred to as discrete event systems and
are the main focus of this thesis. Discrete event systems may vary from very
1
2 INTRODUCTION
simple household devices like a simple coffee machine or cooking devices, to
more sophisticated and complicated systems including aircraft electronics,
industrial and manufacturing systems.
1.1 Problem Statement
Consider a coffee machine that fills your glass with tea even though you asked
for coffee. In this case you may just accept the tea and get back to work.
However, many applications of discreet event systems take place in settings
that are safety critical and small failures may result in huge financial and/or
human losses. Having a control function is one way to guarantee system
correctness.
In 1989, Ramadge and Wonham [29] proposed a framework to calculate
a controlling agent, called a supervisor, for discrete event systems. This
framework is called the supervisory control theory. Given a model of a system
to be controlled, the plant, and the desired behaviour of the controlled system,
the supervisory control theory proposes methods to design and automatically
construct a supervisor in such a way that the controlled system of plant and
supervisor always acts as desired.
For simple systems consisting of a small number of states, calculating the
supervisor can be done straightforwardly. However, nowadays the systems
are becoming more and more complex and each system consists of several
interacting subsystems. Such systems are referred to as modular systems.
Using the standard approach to calculate the supervisor for such systems
involves explicitly representing the entire system by a single model which
may consist of millions of states. This inherent complexity problem is known
as the state-space explosion problem. A brute force approach to calculate
a supervisor is to go through all states of a system and remove undesirable
states. The state space explosion makes it intractable to analyse all states of
a system due to lack of memory and time.
The state-space explosion problem could occur when one tries to model
a modular system by a single representation. However, it is possible to use
the knowledge of modularity of the system to our advantage. One way to
exploit the modularity of systems is to use compositional approaches. To
avoid the state-space explosion problem, a compositional approach tries to
build a single representation of a system in an incremental way. The general
approach is as follows. First the subsystems are simplified by merging related
states until no further simplification (also called abstraction) is possible, and
then the subsystems are combined together one by one and simplified again in
each iteration. This process is repeated until it results in one final relatively
1.2. MAIN CONTRIBUTIONS 3
simple model. This simple model is finally used for synthesis.
1.2 Main Contributions
The main focus of this thesis is to use the compositional approach for calcu-
lating a supervisor. Questions that immediately arise are:
• What is the property that should be preserved after simplification?
• Is it possible to find methods in order to simplify subsystems efficiently?
• Does the compositional approach make supervisor calculation efficient?
Attempting to answer these questions results in the following contribu-
tions in this thesis:
• In this work, maintaining the same closed loop behaviour is the prop-
erty to be preserved after simplification. Also the computed supervisor
in this thesis is modular in that it consists of several interacting com-
ponents.
• The main focus of this thesis is to develop abstraction methods in the
compositional approach such that the final closed loop behaviour is the
same as it would have been for the non-abstracted system. The abstrac-
tion methods presented are mostly based on a well known abstraction
method called observation equivalence and it is shown how observation
equivalence can be strengthened to be applicable in the compositional
synthesis framework.
• The algorithms proposed in this work have been implemented in the
DES software tool Supremica and have been applied to compute super-
visors for several benchmark examples. The experimental results show
that the method successfully computes modular supervisors for a set
of very large industrial models.
1.3 Outline
The first two chapters, Chapter 2 and Chapter 3, give the preliminaries and
the background of supervisory control theory. In Chapter 4 the compositional
synthesis proposed in this work is described. This chapter also presents the
different abstraction methods to reduce complexity of systems and several
benchmark examples. A summary of the appended papers is provided in
Chapter 5. Finally some concluding remark are given in Chapter 6.

Chapter 2
Preliminaries
Many activities of technical devices in our daily uses can be described by
sequences of events. These systems are referred to as discrete event systems
(DES). A DES is a dynamic system with events and states as its basic el-
ements. Events represent incidents that cause transitions from one state to
another and states describe the current system status after occurrence of
an event. Such systems vary from simple household devices to complicated
systems such as aircraft electronics, industrial and manufacturing systems.
2.1 Modeling Formalism
A prerequisite to analyse discrete event systems is developing suitable models
that can accurately represent the activities of the system. Different modeling
formalisms have been used in the literature to represent discrete event sys-
tems, for instance, automata [3], petri nets [16] and formal languages [8,29].
In this thesis finite automata are used to represent the behaviour of discrete
events systems.
2.1.1 Finite Automata
Discrete event systems behaviour are typically modeled by deterministic au-
tomata, but in our case nondeterministic automata may arise as intermediate
results during abstraction.
Definition 1 A finite-state automaton is a tuple G = 〈Σ, Q,→, Q◦〉, where
• Σ is the alphabet which is a finite set of events,
• Q is the finite set of states,
5
6 PRELIMINARIES
• → ⊆ Q× Σ×Q is the state transition relation,
• Q◦ ⊆ Q is the set of initial states.
The following notation and convention are used in this thesis.
• The transition relation is written in infix notation x σ→ y, and is ex-
tended to traces in Σ∗ by letting x ε→ x for all x ∈ Q where ε is the
empty trace, and x sσ→ z if x s→ y and y σ→ z for some y ∈ Q.
• x
s
→ means that x s→ y for some y ∈ Q, and x→ y means that x s→ y
for some s ∈ Σ∗. These notations also apply to state sets, X s→ for
X ⊆ Q means that x s→ for some x ∈ X, and to automata, G s→ means
that Q◦ s→.
• A special termination event, ω, is used to denote marking of a state. A
special requirement is that states reached by the termination event, ω,
do not have any outgoing transitions, i.e., if x ω→ y then there does not
exist σ ∈ Σ such that y σ→. This ensures that the termination event, if
it occurs, is always the final event of any trace. The traditional set of
marked states is Qω = {x ∈ Q | x ω→} in this notation. For graphical
simplicity, states in Qω are shown shaded in the figures of this thesis,
to avoid explicitly showing ω-transitions.
Automaton G is deterministic, if |Q◦| ≤ 1, and x σ→ y1 and x
σ
→ y2 always
implies y1 = y2.
Some automata are structurally related. One such relation is when the
structure of one automaton is contained within another, and they both have
the same alphabet. This structural relation is important for the algorithm
to be described.
Definition 2 Let G1 = 〈Σ1, Q1,→1, Q
◦
1〉 and G2 = 〈Σ2, Q2,→2, Q
◦
2〉, where
Σ1 = Σ2, be two automata. G1 is a subautomaton of G2, written G1 ⊆ G2,
if Q1 ⊆ Q2, →1⊆→2, and Q
◦
1 ⊆ Q
◦
2.
It can be of interest to restrict the behaviour of an automaton to a subset
of its states. Restriction is important when we talk about supervisory control
theory in Chapter 3, where a system behaviour is restricted to a desired
behaviour.
Definition 3 The restriction of G = 〈Σ, Q,→, Q◦〉 to X ⊆ Q is
G|X = 〈Σ, X,→|X , Q
◦ ∩X〉 , (2.1)
where →|X = { (x, σ, y) ∈ → | x, y ∈ X }.
2.1. MODELING FORMALISM 7
H
fetch !put
IDLE
WORKING
B
!put
!put
!put
get
get
⊥
EMPTY
HALF
FULL
H ‖B
fetch
fetch
fetch
fetch
!put
!put
!put
get get
get
get
⊥
Figure 2.1: Automata for manufacturing system, used in Example 1.
Most discrete event systems consist of several subsystems running in par-
allel. When these components are brought together to interact, synchronisa-
tion in the style of [19] is used.
Definition 4 Let G1 = 〈Σ1, Q1,→1, Q
◦
1〉 and G2 = 〈Σ2, Q2,→2, Q
◦
2〉 be two
automata. The synchronous composition of G1 and G2 is defined as
G1 ‖G2 = 〈Σ1 ∪ Σ2, Q1 ×Q2,→, Q
◦
1 ×Q
◦
2〉 (2.2)
where


(x, y)
σ
→ (x′, y′) if σ ∈ Σ1 ∩ Σ2, x
σ
→1 x
′, y
σ
→2 y
′ ;
(x, y)
σ
→ (x′, y) if σ ∈ Σ1 \ Σ2, x
σ
→1 x
′ ;
(x, y)
σ
→ (x, y′) if σ ∈ Σ2 \ Σ1, y
σ
→2 y
′ .
In synchronous composition, an event shared between two automata can
be executed only if it is executed by the two automata simultaneously. How-
ever there is no such constraint on the non-shared local events.
Example 1 Figure 2.1 shows automata models of a simple manufacturing
system consisting of a handler H and a buffer B with capacity two. The han-
dler fetches a workpiece (fetch) and then puts it into the buffer (!put), and
afterwards the buffer releases the workpiece (get). The behaviour of the han-
dler is modeled by automaton H in Figure 2.1. The behaviour of the buffer is
given by the automaton B. The buffer can store only two workpieces, adding
more workpieces causes overflow, represented by the state ⊥. Figure 2.1 also
shows the synchronised model H ‖B which consists of 8 states.
8 PRELIMINARIES
2.1.2 Events and Languages
A behaviour of a DES is described over a finite set of events Σ. Σ∗ is the set
of all finite traces of events from Σ, including the empty trace ε. A subset
L ⊆ Σ∗ is called a language. The language of an automaton is the set of all
traces generated by the automaton.
Definition 5 Let G = 〈Σ, Q,→, Q◦〉 be an automaton. The language of G,
denoted L(G), is defined as
L(G) = { s ∈ Σ∗ | G
s
→} (2.3)
The following notations and definitions are considered for languages. The
concatenation of two traces s, t ∈ Σ∗ is written as st. A trace s ∈ Σ∗ is called
a prefix of t ∈ Σ∗, written s ⊑ t, if t = su for some u ∈ Σ∗. For Ω ⊆ Σ,
the natural projection PΩ : Σ∗ → Ω∗ is the operation that removes from
traces s ∈ Σ∗ all events not in Ω [9]. The projection PΩ can be extended to
languages, by applying it to all the strings in the language.
Example 2 Let Σ = {α, β} and consider subset Ω = {α}. Let L = {ε, α,
αβ}. Then PΩ(L) = {ε, α}.
To describe discrete event systems behaviour regular languages are com-
monly used in the literature [8, 29]. However, regular languages can equiva-
lently be depicted by automata. In this thesis, automata are used to model
a DES since it is not straightforward to show nondeterminism by language
and the main focus of this work is on abstraction which may cause nonde-
terminism. Furthermore, algorithms typically work on automata although
languages are used for modeling.
2.2 Equivalence Relation
An equivalence relation is a binary relation that partitions a set into dis-
joint subsets. In this thesis, equivalence relation ∼ is applied to state set
Q of automata. The equivalence class of state x ∈ Q with respect to the
equivalence relation ∼, written as [x], is [x] = {x′ ∈ Q | x ∼ x′ } and
Q/∼ = { [x] | x ∈ Q } is the set of all equivalence classes modulo ∼.
Since an equivalence relation ∼ is reflexive, symmetric and transitive the
following holds respectively,
• x ∼ x for all x ∈ Q,
• if x1 ∼ x2 then x2 ∼ x1 and x1, x2 ∈ [x1] = [x2]
2.2. EQUIVALENCE RELATION 9
G
q0
q1 q2
q3
α β
γγ
G/∼
β
γ
[q0]
[q1]
[q3]
Figure 2.2: Automata of example 3.
• if x1 ∼ x2 and x2 ∼ x3 then x1 ∼ x3 and x1, x2, x3 ∈ [x1] = [x2] = [x3].
Applying an equivalence relation on the state set of automaton results in
the quotient automaton.
Definition 6 Let G = 〈Σ, Q,→, Q◦〉 be an automaton and let ∼ ⊆ Q × Q
be an equivalence relation. The quotient automaton of G modulo ∼ is
G/∼ = 〈Σ, Q/∼,→/∼, Q◦/∼〉 , (2.4)
where →/∼ = { [x]
σ
→ [y] | x
σ
→ y }.
The quotient automaton is an abstracted automaton which can be ob-
tained by merging the states of the equivalence classes or, equivalently, regard
the equivalence classes as the states of the abstracted automaton.
Example 3 Consider the automaton G = 〈Σ, Q,→, Q◦〉 in Figure 2.2. Let
∼ ⊆ Q × Q be an equivalence relation such that q0 ∈ [q0], q1, q2 ∈ [q1] and
q3 ∈ [q3]. Figure 2.2 also shows G/∼ which is the quotient automaton of G
and is obtained by merging the states of the equivalence classes.

Chapter 3
Supervisory Control Theory
A discrete event system usually consists of sets of plant components modeled
by automata. Plant automata can be seen as event generators and describe
the behaviour of the uncontrolled system. Usually, the system behaviour is
not acceptable in that it violates some safety or nonblocking constraint. A
specification describes the desired behaviour and is also modeled by auto-
mata. To avoid violation of the specification by the uncontrolled plant, a
supervisor needs to be calculated.
Given a plant automaton G and a specification automaton K, the su-
pervisory control theory [29] provides a method to synthesise a supervisor S
that restricts the behaviour of the plant such that the specification is always
fulfilled.
Figure 3.1, shows the feedback loop of supervisor and plant. The plant
generates events and the supervisor, based on the generated events (as in Fig-
ure 3.1), decides whether to enable or disable the currently possible plant
events. Thus, the supervisor is itself incapable of generating events and only
enables or disables them.
Supervisor
Plant
sS(s)
Figure 3.1: The feedback loop of supervisor and plant.
11
12 SUPERVISORY CONTROL THEORY
3.1 Requirements for Supervisors
A plant describes everything that the uncontrolled system is capable of do-
ing and the specification expresses the desired behaviour. A supervisor is
designed to restrict the plant behaviour such that the plant does not vi-
olate the specification. Besides this essential requirement, there are more
requirements that a supervisor should fulfill.
3.1.1 Nonblocking
In automata, marked states are used to represent completion of a (sub-)task.
It is desirable for a system to be able to complete tasks or in other words
to be free from deadlock and livelock. Formally speaking, deadlock refers to
a situation when a system is in an unmarked state from which there is no
outgoing transition, such as, two or more systems waiting for each other to
release a common resource. Livelock is similar to deadlock, except that the
system is not blocked but it is in a loop that it can not get out from.
One crucial issue to consider while computing a supervisor is that the
controlled system can always complete at least some tasks. Such a supervisor
is referred to as a nonblocking supervisor.
Definition 7 Let G = 〈Σ, Q,→, Q◦〉. A state x ∈ Q is called reachable in G
if G→ x, and coreachable if x sω→ for some s ∈ Σ∗. G is called nonblocking
if every reachable state is coreachable.
Given a plant G and a supervisor S the resultant closed loop behaviour
is G ‖ S, and of course this automaton should be nonblocking.
3.1.2 Controllability
For the purpose of supervisory control, the alphabet of a system is partitioned
into two disjoint subsets, the set Σc of controllable events and the set Σu of
uncontrollable events. Controllable events can be disabled by a supervisor
but uncontrollable events can not.
Considering uncontrollable events, one requirement for the computed su-
pervisor is that it never tries to disable an executable uncontrollable event
in order to restrict the system.
Definition 8 Let G = 〈ΣG, QG,→G, Q
◦
G〉 and K = 〈ΣK , QK ,→K , Q
◦
K〉 be
two automata. K is controllable with respect to G if, for every trace s ∈
(ΣG ∪ ΣK)
∗, every state x of K, and every uncontrollable event υ ∈ (ΣG ∩
ΣK ∩ Σu) such that K
PΣK (s)−→ x and G
PΣG (s)υ−→ , it holds that x
υ
→ in K.
3.2. SYNTHESIS 13
This definition says that given a plant G and a supervisor S, the su-
pervisor S is controllable with respect to plant G if the occurrence of an
uncontrollable event does not lead to a string which is not acceptable by the
supervisor.
3.1.3 Least Restrictiveness
The purpose of a supervisor is to restrict a plant behaviour to fulfill a specifi-
cation. Typically, there is no unique controllable and nonblocking supervisor.
For instance the null automaton could be a supervisor and since it disables
all the events generated by the plant it is a nonblocking and controllable su-
pervisor that fulfills any specification. However, the null automaton is not a
useful supervisor and it is desirable to restrict the plant behaviour as little as
possible. Such a supervisor is referred to as the least restrictive supervisor.
In this thesis, the term “supervisor” refers to a least restrictive, controllable
and nonblocking supervisor and this supervisor is unique [29].
3.2 Synthesis
If a system does not satisfy the specification, the question arises whether it
is possible to remove states that violate the specification. This question is
answered by fundamental results in [29], where it is shown that for every
given regular language, there exists a unique maximal sublanguage that is
controllable, nonblocking and least restrictive.
3.2.1 Synthesis Algorithm
In this thesis, the system behaviour is modeled by automata. To cope with
automata based modeling, the result in [29] can be reformulated in automata
form, using an iteration on the automaton state set [26]. The following
algorithm will calculate the largest set of controllable and coreachable states
of a given automaton.
Given the automaton G, the algorithm iteratively identifies and removes
blocking and uncontrollable states and it returns the maximal set of con-
trollable and nonblocking states. The largest controllable and nonblock-
ing subautomaton of G is obtained by restricting G to this set which is
written supCN Γ(G) [26]. When Γ = Σu, the subscript is omitted, i.e.,
supCN (G) = supCNΣu(G).
In the finite-state case, the iteration is guaranteed to converge, and the
complexity is O(|Q||→|), where |Q| and |→| are the numbers of states and
14 SUPERVISORY CONTROL THEORY
Algorithm 1 Maximal state set ΘG,Γ(Q)
precondition : A given automaton G = 〈Σ, Q,→, Q◦〉 and set of uncon-
trollable events Γ ⊆ Σu ⊆ Σ .
postcondition : A set Θ ⊆ Q, which is the largest set of controllable and
coreachable states of G.
i← 0
Θ0 ← Q
repeat
Θi+1 ← Θi
∀x ∈ Θi+1 if ∄t such that x tω→ then
Θi+1 ← Θi+1 \ x
end if
∀x ∈ Θi+1 if x
υ
→ y and y /∈ Θi+1 for some υ ∈ Γ then
Θi+1 ← Θi+1 \ x
end if
until Θi+1 = Θi
return Θi+1
transitions of the automaton. The size of Q and→ grows exponentially with
the number of components, and [17] shows that the compositional synthesis
problem is NP-complete.
3.3 Translation of Specifications to Plants
The synthesis operation described in Section 3.2 only performs synthesis for
a plant automaton G. In order to apply this synthesis algorithm to control
problems that also involve specifications, the transformation proposed in [15]
can be used. A specification automaton is transformed into a plant by adding,
for every uncontrollable event that is not enabled in a state, a transition to
a new blocking state ⊥. This essentially transforms all initial controllability
problems into blocking problems.
Definition 9 [15] Let K = 〈Σ, Q,→, Q◦〉 be a specification. The complete
plant automaton K⊥ for K is
K⊥ = 〈Σ, Q ∪ {⊥},→⊥, Q◦〉 (3.1)
where ⊥ /∈ Q is a new state and
→⊥ = → ∪ { (x, υ,⊥) | x ∈ Q, υ ∈ Σu, x 6
υ
→} . (3.2)
3.3. TRANSLATION OF SPECIFICATIONS TO PLANTS 15
H
PSfrag
fetch !put
IDLE
WORKING
B
!put
!put
get
get
EMPTY
HALF
FULL
B⊥
!put
!put
!put
get
get
⊥
EMPTY
HALF
FULL
H ‖B⊥
q1
q2
fetch
fetch
fetch
fetch
!put
!put
!put
get get
get
get
⊥
S
fetch
fetch
!put
!put
get
getget
Figure 3.2: Automata of Example 4.
Given a plant G, synthesising the least restrictive nonblocking and con-
trollable behaviour that is allowed by specification K involves synchronis-
ing the plant with the translated specification and computing supCN (G ‖
K⊥) [15]. This way of calculating a supervisor is referred to as the mono-
lithic approach, and the supervisor obtained is a monolithic supervisor which
consists of a single automaton. However, calculating a supervisor using the
monolithic approach is impeded by state space explosion problem. Since
usually, a system behaviour is modeled as a set of automata it is possible to
exploit the modular structure of the system and design a modular supervisor.
Example 4 Figure 3.2 shows a model of a simple manufacturing system
consisting of a handler (plant H) and a buffer (specification B). The han-
dler fetches a workpiece (fetch) and puts it into the buffer (!put), afterwards
the buffer releases it (get). Events fetch and get are controllable, while
!put is uncontrollable. B⊥ is the complete plant automaton for B. This
system is blocking, since the trace fetch !put fetch !put fetch !put fetch takes
B⊥ to state ⊥, representing the undesired possibility of buffer overflow. To
prevent this, event !put needs to be disabled in state q2 of H ‖ B
⊥. How-
16 SUPERVISORY CONTROL THEORY
ever, !put is an uncontrollable event that can not be disabled by the supervi-
sor, so the least restrictive solution is obtained by disabling the controllable
event fetch in state q1. Figure 3.2 shows the resultant least restrictive super-
visor S = supCN (H ‖B⊥).
3.3.1 Translated Specifications vs Forbidden States
The idea of translating the specification is proposed in [15] and has been
implemented in the DES software tool Supremica [2]. However, typical syn-
thesis algorithm [1,21,29] does not use translated specification and it can be
interesting to briefly compare the two approaches.
In the original algorithm first the plants and the specifications are syn-
chronised. During the synchronisation process, whenever an uncontrollable
event in the plant is disabled by the specification, the synchronised state is
marked as forbidden. The set of forbidden states is iteratively extended by
including blocking states and states that have an uncontrollable outgoing
transition to a forbidden state. To calculate the supervisor all the forbidden
states are removed. It has been shown in [15] that the same supervisor is
obtained by both approaches.
Example 5 Consider again the model of a simple manufacturing system
consisting of a handler (plant H) and a buffer (specification B) which is
shown in Figure 3.3. State q5 in H ‖B is an uncontrollable state that repre-
sents buffer overflow. We can note that this state is equivalent to the state
q2 in Figure 3.2 which uncontrollably takes the systems to ⊥. This state is
a forbidden state and crossed out in Figure 3.3. To prevent the system to
reach the forbidden state q5, event fetch needs to be disabled. Fig 3.3 shows
S which is the least restrictive controllable and nonblocking supervisor and it
is equal to the supervisor calculated in Example 4.
3.3.2 Need for Transforming Specifications to Plants
In Supremica’s original synthesis algorithm, uncontrollable states are marked
as forbidden and synchronisation of a forbidden state with a non-forbidden
state results in a forbidden state. Calculating the supervisor in the mono-
lithic way involves synchronising the plants and the specifications once, which
makes it possible to identify the forbidden states, and removing them using
the original synthesis algorithm. However, there are algorithms, for example
the compositional algorithm described in Chapter 4, that synchronise plants
and specifications step by step in an incremental way and using forbidden
states may result in a supervisor that is not least restrictive.
3.3. TRANSLATION OF SPECIFICATIONS TO PLANTS 17
H
fetch !put
IDLE
WORKING
B
!put
!put
get
get
EMPTY
HALF
FULL
H ‖B⊥ q0
q1 q2
q3q4
q5
fetch
fetch
fetch
!put
!put
getget
get
get
S
fetch
fetch
!put
!put
get
getget
Figure 3.3: Automata of Example 5.
G1 q0
q1
α!υ
G2
q0
q1
α
!υ
K q0
q1
α !υ
G1 ‖K
q0
Figure 3.4: Automata of Example 6. Calculating the supervisor using the
compositional approach without transforming K to plant.
Example 6 Consider the modular plant G = {G1, G2} and the specification
K shown in Figure 3.4. Using the compositional approach, first G1 is syn-
chronised by K. Since G1
υ
→ q1 and K does not have such a transition, the
state q0 in G1 ‖K becomes a forbidden state. Synchronising G1 ‖K by G2 re-
sults in a single forbidden state. Synthesising a single forbidden state results
in the null automaton. Figure 3.5 shows K⊥ and G1 ‖K
⊥. Now synchroni-
sation of G1 ‖K
⊥ and G2 results in a single marked state and the synthesis
result is a single marked state which is the least restrictive, controllable and
nonblocking supervisor.
3.3.3 Modular Approach and Forbidden States
The supervisor that is calculated by the algorithm in Section 3.2.1 is the
least restrictive, controllable and nonblocking supervisor. Calculating such
a supervisor for models with huge number of states could be intractable. To
avoid such a problem, different approaches have been proposed. The modular
18 SUPERVISORY CONTROL THEORY
G1 q0
q1
α!υ
G2
q0
q1
α
!υ
K⊥ q0
q1
⊥
α
!υ
!υ
G1 ‖K
⊥
q0
⊥
!υ
S
q0
Figure 3.5: Automata of Example 6. Translating the specification to plant
results in the least restrictive supervisor in the compositional approach.
approach can be mentioned as one such approach [1,6,11,34]. The calculated
supervisor is a least restrictive and controllable modular supervisor. This
approach can be described by the following algorithm.
The modular approach uses forbidden states to mark uncontrollable and
blocking states. This seems to contradict the result in Section 3.3.2 where
a conclusion has been drawn that using forbidden states for algorithms that
calculate the supervisor in an incremental way results in a non-least restric-
tive supervisor. However, in Example 6 a non-least restrictive supervisor was
obtained because not all the plants sharing the uncontrollable event with the
specification are considered when forbidden states were identified.
To guarantee the least restrictive supervisor, all plants sharing uncontrol-
lable events with a specification K must be included in the synthesis plus all
plants sharing uncontrollable events with the originally picked plants. This
is what happens in steps 6-15 in Algorithm 2. Note that this may mean
that the modular approach in the worst case synthesises a supervisor for the
entire monolithic plant. In practice, though, the modular approach seems to
work rather well for most real industrial systems.
Example 7 Consider again the modular system G = {G1, G2} and the spec-
ification K shown in Figure 3.4. To use the modular approach, first K is
picked and since G1 and G2 share uncontrollable events with K they are also
picked. Calculating a supervisor for K, G1 and G2 results in a least restric-
tive supervisor.
Step 10-14 in Algorithm 2 can be done more efficiently as the plants can
be added incrementally when an uncontrollable event not in the specification
is encountered during synthesis.
Though the modular approach of Supremica generates for each speci-
fication a supervisor, Si for 1 = 1, · · · ,m, that is least restrictive, con-
3.3. TRANSLATION OF SPECIFICATIONS TO PLANTS 19
Algorithm 2 Modular Approach
precondition : A given a set of plants G = {G1, · · · , Gn} and a set of
specifications K = {K1, · · · , Km}.
postcondition : A set S, which is a controllable and least restrictive
supervisor.
1: S ← ∅
2: P ← ∅
3: l ← 1
4: repeat
5: remove Kl from K and add it to P
6: for i = 1, · · · , n do
7: if ΣGi ∩ ΣKl ∩ Σu 6= ∅ then
8: add a copy of Gi to P
9: end if
10: for j = 1, · · · , n do
11: if j 6= i and ΣGj ∩ ΣP ∩ Σu 6= ∅ then
12: add a copy of Gj to P
13: end if
14: end for
15: end for
16: calculate supCN (‖P ) and add it in S
17: l ← l + 1
18: until l = m
19: return S
20 SUPERVISORY CONTROL THEORY
trollable and nonblocking, this does not guarantee the modular supervisor
S = S1 ‖ · · · ‖Sm is globally nonblocking. The compositional verification pro-
posed in [14] can be used to verify whether the controlled system is blocking
or not. However, [14] gives no clues on how to handle the case when the
modular system is blocking.
To achieve the least restrictive supervisor with the modular approach, all
plants sharing uncontrollable events, directly or indirectly, with a specifica-
tion must be considered. This limits the degree of freedom when choosing
the automata to compose. As shown, this limitation can be overcome by
transforming specification to plants.
Chapter 4
Compositional Synthesis
Usually discrete event systems are modular in that the model of the system
consists of a set of plant components and a set of specifications, all inter-
acting with each other. Calculating a supervisor for a modular system in
the standard way involves building an explicit monolithic model which may
lead to the inherent complexity problem known as the state-space explosion
problem. This problem occurs when synchronisation of the components re-
sults in an automaton with a huge number of states, as the number of states
grows exponentially with the number of components. This problem makes it
intractable to examine the global states of a system due to lack of memory
and time. Consequently, constructing the monolithic model of the system is
not efficient and methods to exploit the modular structure are needed. Such
a method used in this thesis is the compositional approach. The composi-
tional approach has been successfully used for verification of discrete event
systems [4,10,14,32,33]. However, we are concerned with more than giving a
“yes” or “no” answer and the task is to iteratively remove states that violate
the specification.
In this chapter, first the general compositional approach is described. The
general compositional approach needs a proper notion of equivalence in order
to be used for synthesis analysis. Section 4.2 describes and compares different
equivalence relations that have been used for compositional synthesis. Then,
Section 4.3 presents different ways of reducing the size of subsystems, pre-
serving the equivalence relation that is used, and finally Section 4.4 applies
the method to several benchmark examples.
21
22 COMPOSITIONAL SYNTHESIS
4.1 General Compositional Approach
Usually systems consist of several interacting subsystems and such systems
are referred to as modular systems. A modular system consists of a modular
plant and a modular specification.
G ‖K = (G1 ‖ · · · ‖Gl) ‖ (K1 ‖ · · · ‖Km) . (4.1)
In order to apply the synthesis algorithm described in Section 3.2.1, all the
specifications are translated into plants. So, the synthesis problem consists
of finding the least restrictive controllable and nonblocking supervisor for a
set of plants,
G ‖K⊥ = G1 ‖ · · · ‖Gn. (4.2)
To fight the state-space explosion problem, the compositional approach
avoids building the complete monolithic state space, instead it tries to con-
struct the monolithic model gradually. Before beginning the synchronisation
process, each individual component is first simplified, and replaced by the
equivalent component that the abstraction process yields. Synchronous com-
position is then computed step by step once individual abstractions are no
more possible, iteratively abstracting again the intermediate results. Even-
tually, the procedure leads to a single automaton, which is an abstract de-
scription of the system. This automaton has less states and transitions than
the original system. The final step is to use the final abstracted automaton
to calculate a supervisor. Figure 4.1 illustrates the general compositional
approach.
4.1.1 Local Events
The state space explosion problem is more noticeable when the components
are loosely coupled. More to the point, some components have internal be-
haviors independent of others. While this independence can result in state
space explosion, it can also be useful for developing the abstraction method-
ology in the compositional approach.
When abstracting an automaton Gi in the modular system (4.2), this
automaton will typically contain some events that do not appear in the al-
phabet of any other components. These events are called local events and are
denoted by the set Υ. Non-local or shared events are denoted by Ω = Σ \Υ.
4.1. GENERAL COMPOSITIONAL APPROACH 23
. . .
.
.
.
‖ ‖ ‖
‖ ‖
‖‖
G˜1 G˜2 G˜3 G˜4 G˜n
G1 G2 G3 G4 Gn
G˜
(G˜1 ‖ G˜2)
′ (G˜3 ‖ G˜3)
′
∼ ∼
∼ ∼∼∼∼
Figure 4.1: General compositional approach. The modular system is de-
scribed by {G1, G2, · · · , Gn} which is a set of plant automata and ∼ is a
proper equivalence relation.
24 COMPOSITIONAL SYNTHESIS
4.2 Equivalence Relations
Generally, the compositional approach attempts to replace individual compo-
nents by an abstracted version. Such reasoning requires that the abstracted
components are related to the original components. In this respect, a proper
notion of equivalence needs to be identified. This can be done by defining the
property that is required to be preserved. In this section some equivalence
relations used for compositional synthesis are given. The intention of using a
compositional approach here is to use the final result to calculate a supervisor
to control a system. Thus, given a plant G and the supervisor S calculated
in a monolithic way, in order to calculate S˜ (the supervisor calculated by the
compositional approach) the equivalence relation could be defined as either
maintaining an unchanged supervisor, L(S) = L(S˜), or having an unchanged
closed loop behavior L(G ‖ S) = L(G ‖ S˜). Defining an equivalence relation
considering supervisor equality was proposed and analysed in [15], and will
be described in section 4.2.1.
However, supervisors are calculated to modify the closed loop behaviour
of the system such that the specification is fulfilled. Consequently, in this
thesis, maintaining an unchanged closed loop behavior is considered as the
property of interest when calculating a supervisor. Furthermore, it gives us
more freedom to abstract.
4.2.1 Supervision Equivalence
Typically in modeling a system by automata, each state of an automaton is
labeled according to the state of the system. After synchronisation, the state
label of global states is made up of combinations of their corresponding local
states.
Earlier work on abstraction based compositional synthesis can be found
in [15]. The final supervisor calculated in [15] is a set of state labels that
defines the safe states in a symbolic way. The compositional approach pro-
posed uses the information of the state labels to create a link between the
symbolic supervisor and the original system. Thus, in this framework it is
crucial to abstract each component so that the final symbolic supervisor has
the same state labels as it would have had without any abstraction. Based on
this property a notion of abstraction called supervision equivalence is intro-
duced in [15]. When abstracting a component in the proposed compositional
approach by collapsing states, the resulting merged state will get all the
corresponding state labels. In the final step of the compositional approach,
synthesis is applied on a single state that uses the same state labels as the
original system.
4.2. EQUIVALENCE RELATIONS 25
The supervisor calculated in this framework is a least restrictive, control-
lable and nonblocking supervisor. However, the supervisor is monolithic. In
addition, the equivalence requires additional state labels, making some desir-
able abstractions impossible, such as bisimulation described in Section 4.3.
Thus, it is favorable to find an equivalence relation that is independent of
state labeling.
4.2.2 Synthesis Abstraction
To maintain an unchanged closed loop behaviour after abstraction, synthesis
abstraction is introduced in [Paper I]. Given a modular plant G, synthesis
abstraction requires that the synthesis result for component G1 and its ab-
straction G˜1 are the same no matter what the behaviour of the remainder of
the system is:
L(G1 ‖ · · · ‖Gk ‖ supCN (G1 ‖G2 ‖ · · · ‖Gk))
= L(G1 ‖ · · · ‖Gk ‖ supCN (G˜1 ‖G2 ‖ · · · ‖Gk)) . (4.3)
Note that the supervisor calculated in this framework does not have the
same language or number of states as the monolithic supervisor. However it
produces the same closed loop language as the monolithic supervisor.
In this framework, the least restrictive modular supervisor consists of
the final calculated supervisor and the specification K. However, the mono-
lithic supervisor never needs to be calculated. It can be represented in its
modular form, and synchronisation can be performed on-line, tracking the
synchronous product states as the system evolves. In this way, synchronous
product computation and state-space explosion can be avoided.
Example 8 Consider automata G, G˜, and T in Figure 4.2. All events are
controllable, and events α and β are local events since they only appear in G.
States q0 and q1 in G can be merged resulting in G˜, which is a synthesis
abstraction of G. Figure 4.2 shows S˜ = supCN (G˜ ‖ T ) which has less states
compared to the monolithic supervisor S which is also shown in Figure 4.2.
However, both supervisor produce the same closed loop behaviour, that is,
L(G ‖ T ‖ S˜) = L(G ‖ T ‖ S).
Several methods for abstracting automata such that synthesis abstraction
is preserved are described in [Paper I]. However, to guarantee that the syn-
thesis abstraction is preserved after applying these methods, the abstracted
automata are required to be deterministic in all the abstraction steps.
Example 9 Consider the modular system {G, T} in Figure 4.3. Plant G
in this system and the system in Example 8 differs in the transition between
26 COMPOSITIONAL SYNTHESIS
G
q0 q1
q2 q3
(α)
(β) ξγ
G˜
q2 q3
q01
ξ
(α, β)
γ
T
q0
q1
ξ
γ
S˜
(α, β)
ξ
S
q0 q1
q3
(α)
(β) ξ
Figure 4.2: Automata of Example 8. Abstraction of G results in the deter-
ministic automaton G˜.
G
q0 q1
q2 q3
(α)
(β) γγ
G˜
q2 q3
q01
(α, β)
γ γ
T
q0
q1
γ
S˜
(α, β)
γ
S
q0 q1
q3
(α)
(β) γ
Figure 4.3: Automata of Example 9. Abstraction of G results in the nonde-
terministic automaton G˜, which is unsuitable as synthesis abstraction.
4.2. EQUIVALENCE RELATIONS 27
states q1 and q3. All events are controllable, and events α and β are local since
they are only in G. The same abstraction method as in Example 8 results in
merging states q0 and q1 in G. However, here merging these states results in a
nondeterministic automaton G˜. Figure 4.3 shows S˜ = supCN (G˜ ‖ T ). Since
this supervisor enables event γ after both α and β, the closed-loop system is
blocking, so S˜ is not a correct supervisor.
Even though the same abstraction method has been applied in both Ex-
ample 8 and Example 9, synthesis abstraction has not been preserved in
Example 9 due to nondeterminism.
Since synthesis abstraction requires deterministic automata after abstrac-
tion, the abstraction methods described in [Paper I] can not be applied when
merging states results in nondeterminism. In order to be able to apply the
abstraction methods regardless of nondeterminism, a new equivalence called
synthesis equivalence was introduced in [Paper II].
4.2.3 Renaming and Synthesis Equivalence
Supervisory control theory is generalised for nondeterministic models in [18,
21,35] among others. In [18,21], even though the plant may be nondetermin-
istic, the specification must be deterministic. This condition is relaxed in [35],
where the plant and specification can be nondeterministic with the objective
that the controlled system be bisimulation equivalent to the specification.
The nondeterminism considered in this work is the result of abstraction.
To avoid nondeterminism after abstraction the idea of distinguishing sen-
sors [5] is adapted and renaming is proposed in [Paper II]. Renaming intro-
duces new events that are linked to the original nondeterministic transitions.
After applying a renaming on one component, new events are introduced, so
the remaining components need to be modified to use the new events.
Example 10 Consider automata G and T in Figure 4.4, let G0 = {G, T}.
As was seen in Example 9, merging q0 and q1 results in a nondeterminis-
tic automaton. To avoid nondeterminism, the renaming ρ : {α, β, γ1, γ2}→
{α, β, γ} with ρ(α) = α, ρ(β) = β, and ρ(γ1) = ρ(γ2) = γ can be applied on
G, producing H. Since T also has γ, it needs to be modified into T ′. Now
abstracting H results in a deterministic automaton.
When introducing renaming, some events are replaced by new events that
do not appear in the original plant model. Then it is no longer clear how
a supervisor synthesised from the renamed model can control the original
plant. To make this possible, a distinguisher is introduced in [Paper II] that
28 COMPOSITIONAL SYNTHESIS
G
q0 q1
q2 q3
(α)
(β) γγ
T
q0
q1
γ
H
q0 q1
q2 q3
(α)
(β)γ1 γ2
H˜
q2 q3
q01
(α, β)
γ1 γ2
T ′
γ1
γ2
Figure 4.4: Automata of Example 10. Abstraction of G results in the non-
deterministic automaton G˜ (see G˜ in Figure 4.3). Renaming event γ into γ1
and γ2 gives H, which leads to the deterministic abstraction H˜.
enables the final supervisor to choose the correct transitions. In Example 10,
H is a distinguisher.
The original modular system (4.2) only consists of a set of uncontrolled
plants, G. In the new framework however, renaming and the corresponding
distinguishers also need to be taken into account. To keep track of renaming,
ρ, and the collected distinguishers, S, a synthesis triple, written as (G,S, ρ),
is introduced in [Paper II]. Synthesis triples combine all the information col-
lected at each abstraction step, and are the main data structure manipulated
by the compositional synthesis algorithm.
Note that S not only contains distinguishers but also other components,
referred to as partial supervisors. Section 4.3 will expand on the other com-
ponents in S.
To use the compositional algorithm for synthesis, a notion of abstraction
for synthesis triples is needed. Every abstraction step must ensure that the
synthesis result is the same as it would have been for the non-abstracted
components. Based on this property, synthesis equivalence was introduced
in [Paper II]. Two triples (G1;S1; ρ1) and (G2;S2; ρ2) are said to be synthesis
equivalent, written (G1;S1; ρ1) ≃synth (G2;S2; ρ2), if L(ρ1(supCN (G1)‖S1)) =
L(ρ2(supCN (G2) ‖ S2)).
The compositional synthesis algorithm calculates a modular supervisor
for a modular system G = G0. Initially, no abstraction has been applied
and no distinguisher or partial supervisor are collected yet. Thus, the initial
4.3. ABSTRACTION METHODS PRESERVING SYNTHESIS EQUIVALENCE 29
distinguisher set is empty and the initial renaming is an identity renaming
that maps each events to itself. At each step of the compositional approach,
some automata are selected to compose, abstract and rename if necessary.
After each step the renaming and the distinguisher are collected. These
procedures change the initial triple iteratively such that synthesis equivalence
is preserved. The algorithm terminates once there is a single automaton in
the set of uncontrolled plants. This automaton represents the abstracted and
renamed description of the original system. Finally, synthesis is applied on
this automaton and the result is added to the supervisor set.
The final supervisor calculated in this framework is a set of supervisors.
Here, since the synthesis triple contains the original uncontrolled plant, not
only the closed loop behaviour is left unchanged, the synchronisation of the
modular supervisor is equal to the monolithic supervisor.
Example 11 Consider automata G and T in Figure 4.5, let G0 = {G, T},
and consider the initial synthesis triple (G0; ∅; id). As suggested in Exam-
ple 10, automaton G is replaced by H in Figure 4.5, using renaming ρ : {α, β,
γ1, γ2} → {α, β, γ} with ρ(α) = α, ρ(β) = β, and ρ(γ1) = ρ(γ2) = γ. It can
be shown that (G0; ∅; id) ≃synth (G1;S; ρ) where G1 = {H,T
′} and S = {H}.
Abstracting H results in the deterministic automaton H˜, shown in Figure 4.5.
This changes the synthesis triple to (G2;S; ρ) where G2 = {H˜, T
′}. The figure
also shows S˜1 = supCN (G2) which is a partial supervisor. The final mod-
ular supervisor contains the partial supervisor S˜1 and the distinguisher H.
Changing back the renamed events results in S, which is the least restrictive
nonblocking and controllable supervisor.
4.3 Abstraction Methods Preserving Synthesis
Equivalence
Even though, it seems easy to define an equivalence relation that should be
preserved, finding methodologies to simplify the systems in a way that the
property of interest is preserved is not straightforward. The main challenge
in the compositional synthesis approach is to find methods to abstract au-
tomata such that synthesis equivalence is preserved. Since the only step in
the compositional approach that actually reduces the size of a system is the
abstraction step, the efficiency of the compositional approach considerably
depends on the abstraction methods.
Generally, abstraction methods for compositional verification such as
those proposed in [14], are not applicable for compositional synthesis. In
30 COMPOSITIONAL SYNTHESIS
G
q0 q1
q2 q3
(α)
(β) γγ
T
q0
q1
γ
H
q0 q1
q2 q3
(α)
(β)γ1 γ2
H˜
q2 q3
q01
(α, β)
γ1 γ2
T ′
γ1
γ2
S˜1 (α, β)
γ2
S
q0 q1
q3
α
β γ
Figure 4.5: Automata of Example 11. Abstraction of G results in the non-
deterministic automaton G˜ (see G˜ in Figure 4.3). To avoid nondeterminism,
event γ in G is renamed into γ1 and γ2 producing H. Abstracting H leads
to the deterministic H˜. Calculating a supervisor using H˜ and T ′ results in
a least restrictive controllable and nonblocking supervisor S˜1 ‖ H, which is
equal to the monolithic supervisor.
4.3. ABSTRACTION METHODS PRESERVING SYNTHESIS EQUIVALENCE 31
compositional verification, the identity of local events can be disregarded.
However, the events identity is needed in the compositional synthesis in or-
der to enable the supervisor to make decisions. Moreover, less states can be
merged in the compositional synthesis since merged states should not only
have the same blocking property, they should also have the same synthesis
property meaning either non of them are removed by synthesis or all of them
are removed by synthesis.
This section discusses some possible methods to compute synthesis equiv-
alent abstraction. Most of the abstraction methods presented in this section
are based on observation equivalence [27]. While observation equivalence
does not in general preserve synthesis equivalence, it can be strengthened to
do so, as shown below.
Note that in [25, 30], observation equivalence is used in compositional
synthesis. However, in these works the set of local events only consists of un-
observable events and observable events are never considered as local. Yet,
in this work observable events can also become local as soon as they only
appear in one component. This makes it more difficult to find suitable ab-
stractions, because the synthesised supervisor may synchronise on observable
events, even if they are local.
4.3.1 Observation Equivalence
Observation equivalence or weak bisimilarity provides a well-known abstrac-
tion method [27]. Two states are considered observation equivalent if they
are able to execute the same transitions when local events are not considered.
Definition 10 Let G = 〈Σ, Q,→, Q◦〉 be an automaton, and let Ω ⊆ Σ. An
equivalence relation ≈ ⊆ Q × Q is called an observation equivalence on G
with respect to Ω, if the following holds for all x1, x2 ∈ Q such that x1 ≈ x2:
if x1
s1→ y1 for some s1 ∈ Σ
∗, then there exist y2 ∈ Q and s2 ∈ Σ
∗ such that
PΩ(s1) = PΩ(s2), x2
s2→ y2, and y1 ≈ y2.
Observation equivalence is known to preserve all temporal logic proper-
ties [27] and has been used in compositional verification [14]. However, it
can be shown by a counterexample that observation equivalence in general
does not preserve synthesis equivalence.
Example 12 Consider the synthesis triple G = ({G, T}; ∅; id) where G and
T are shown in Figure 4.6. Events α and β are controllable, while !υ is
uncontrollable. Automata G and G˜ in Figure 4.6 are observation equivalent
with respect to Υ = {α}. An attempt at abstracting G = ({G, T}; ∅; id)
using G˜ gives G˜ = ({G˜1, T1}; {G1}; id), including the original automaton G1
32 COMPOSITIONAL SYNTHESIS
G
q0
q1
q2
(α)
!υ
β
G˜
q0
(α)
!υ β
q12
T
!υ
β
Figure 4.6: Automata of Example 12.
as a supervisor. However, β ∈ L(supCN (G)) and β /∈ L(supCN (G˜)), because
with G, a supervisor could disable the local controllable event α to prevent
entering state q2 and thus the occurrence of the undesirable uncontrollable !υ,
but this is no longer possible in G˜.
In the following, bisimulation, uncontrollable observation equivalence and
synthesis observation equivalence are described as the methods preserving
synthesis equivalence. These methods are obtained by restricting observa-
tion equivalence and were first proposed in [Paper I] to preserve synthesis
abstraction. In [Paper III] it is proven that these methods also preserve
synthesis equivalence.
Bisimulation
Example 12 shows that observation equivalence needs to be restricted if it is
to be used in compositional synthesis. One simple way to restrict observation
equivalence such that it implies synthesis abstraction is by not permitting
any local events.
Observation equivalence without local events leads to bisimulation equiv-
alence [27], one of the strongest known process equivalences. Two states are
considered bisimilar if they have the same future behaviour. It has been
shown in [Paper III] that merging bisimilar states results in synthesis equiv-
alence.
Uncontrollable Observation Equivalence
While bisimulation ensures synthesis equivalence, not permitting any local
events is highly restrictive, and it is desirable to relax the condition. In
[Paper I] uncontrollable observation equivalence was introduced.
4.3. ABSTRACTION METHODS PRESERVING SYNTHESIS EQUIVALENCE 33
q0
q1 q2
q3 q4
q5
q6
q7
q8
q9
[q0]
[q1]
[q3]
[q5]
[q6]
[q9]
G G˜ T
α
α
α
α
α
α
α
α
ββ
β γ
γ γ
(!ν)
(!ν)
(!ν)(!ν)(!ν)
(!µ)
(!µ)
(!µ)
(!µ)
(!µ)
(!µ)
Figure 4.7: Automata of Example 13. G˜ is observation equivalent to G with
only uncontrollable local events. Nevertheless it does not preserve synthesis
equivalence.
In uncontrollable observation equivalence, like observation equivalence,
the equivalent states need to have the same outgoing transitions while local
events are disregarded. However, two more conditions need to be imposed
to ensure that synthesis equivalence is preserved (Paper III, Definition 20).
The first condition is,
restrict local events to be only uncontrollable.
The second condition is described by the use of the following example.
Example 13 In Figure 4.7, the local events !µ and !ν are both uncontrol-
lable, and q1 and q2 are observation equivalent. However, α ∈ L(supCN (G˜ ‖
T )) and L(supCN (G ‖ T )) = ∅. This is because the occurrence of α in the
trace q2
µαµ
−→ q8 results in the deadlock state q9 after the uncontrollable !ν. To
avoid this situation α needs to be disabled in q4, which makes q4 a blocking
state. Removing q4 makes q2 an uncontrollable state. However state q1 is a
safe state. Thus, though q1 and q2 are observation equivalent, merging them
does not preserve synthesis equivalence.
The problem in this example is that, the states q1 and q2 are considered
equivalent even though q1 is a safe state and q2 is not. This difference is
34 COMPOSITIONAL SYNTHESIS
caused by considering q2
µαµ
−→ q8, which is a sequence of unsafe states, as a
matching sequence for q1
α
→ q6 which is a safe transition. Thus, merging q1
and q2 does not result in synthesis equivalence. This problem can be avoided
by requiring the following condition,
a trace matching a controllable transition must not contain
any local events after the controllable event.
The second condition is added to guarantee that merging states have the
same synthesis property.
Uncontrollable observation equivalence preserves synthesis equivalence as
proved in [Paper III].
Synthesis Observation Equivalence
However, the conditions of uncontrollable observation equivalence can be re-
laxed, permitting controllable local events. In [Paper I] synthesis observation
equivalence was introduced to preserve synthesis abstraction and in [Paper
III] it is proven that it also preserves synthesis equivalence.
Synthesis observation equivalence is obtained by adding two extra re-
quirements on observation equivalence (Paper III, Definition 21). The first
requirement is,
a trace matching an uncontrollable transition must only contain
uncontrollable events.
The second condition is described by the following example.
Example 14 Automata G and G˜ in Figure 4.8 are observation equivalent
with controllable local events α and β. In both G and G˜, the controllable
event α must be disabled to prevent the undesired uncontrollable !ν. By dis-
abling α in G, state q2 will be a blocking state and needs to be removed.
Removing q2 makes q0 an uncontrollable state and it also needs to be re-
moved. However disabling α does not make q1 a blocking state. Thus, q1 and
q2 can not be merged.
The problem in Example 14 is that q1
β
→ q4, which is safe transition, is
matched by q2
α
→ q5
α
→ q6, which is not a safe sequence. In this example if
either α was an uncontrollable event or q5 was equivalent to q2 or q6, then G˜
would yield synthesis equivalence. Thus, the second condition that needs to
be imposed is,
4.3. ABSTRACTION METHODS PRESERVING SYNTHESIS EQUIVALENCE 35
q0
q1
q4
q2
q3 q5
q6
q7
[q0]
[q1]
[q3] [q7]
[q4]
(α)(α)
(α)(α)
(α)
(α)
(α)
(α)
(β)(β)
!ν
!ν
!ν
!ν
!ν
!ν
!ν
G G˜ T
Figure 4.8: Automata of Example 14.
two states x and x′ are equivalent if a local controllable
transition x
σ
→ y have a matching sequence of local
transitions x′
s
→ y′ such that every state along this path,
reached by a local controllable transition, is equivalent
to x or y.
This condition ensures that all the equivalent states have the same syn-
thesis property and removing one state, results in removing all of them.
Note that more abstraction is possible by synthesis observation equiv-
alence than uncontrollable observation equivalence. However, uncontrol-
lable observation equivalence has lower computational complexity and con-
sequently abstraction can be done faster [Paper III].
4.3.2 Selfloop Removal
In the compositional verification, events used in only one component can
immediately be removed from the model [14]. This is not always possible
in compositional synthesis. Even if no other components use an event, the
synthesised supervisor may still need to use it for control decisions that are
not yet apparent. Therefore, events can only be removed if it is clear that
no further supervisor decision depends on them.
An event can be removed from a synthesis triple if it causes no state
change, which means that it appears only on selfloop transitions in the au-
36 COMPOSITIONAL SYNTHESIS
tomaton. In this case, the event can be removed from all plant components.
Plant components that disable a local selfloop need to be kept as partial
supervisors in S to ensure that the final supervisor disables the event when
needed. Selfloop removal preserves synthesis equivalence as proven in [Paper
III].
4.3.3 Halfway Synthesis
Sometimes it is clear that certain states in a component must be removed in
synthesis, no matter what the behaviour of the rest of the system is. Clearly,
blocking states can never become non-blocking. Moreover, local uncontrol-
lable transitions to blocking states must be removed, because it is clear that
no other component nor the supervisor can disable a local uncontrollable
transition.
Such states can be removed early on using halfway synthesis [15].
Definition 11 Let G = 〈Σ, Q,→, Q◦〉 and Υ ⊆ Σ. The halfway synthesis
result for G with respect to Υ is
hsupCNΥ(G) = 〈Σ, Q ∪ {⊥},→hsup, Q
◦〉 , (4.4)
where supCNΥ(G) = 〈Σ, Q,→sup, Q
◦〉, ⊥ /∈ Q, and
→hsup =→sup ∪ { (x, σ,⊥) | σ ∈ (Σ∩Σu)\ Υ, x
σ
→, and x σ→sup does
not hold } .
(4.5)
Halfway synthesis is calculated like ordinary synthesis, but considering
only events in the set Υ as uncontrollable. Potential controllability problems
caused by other uncontrollable events are reflected in the result by including
transitions to a blocking state, ⊥.
Example 15 Consider automaton G in Figure 4.9, which is part of a larger
system. The uncontrollable events !µ and !υ are local. State q3 is blocking,
so q2 is unsafe, because the uncontrollable !µ-transition can not be disabled.
Every nonblocking supervisor can and will disable the α-transition from state
q1 to q2. State q1 may still be safe, because some other component may disable
the shared event !ζ. The blocking state and the !ζ-transition are retained
in the halfway synthesis result hsupCN {!υ,!µ}(G), see Figure 4.9, so a later
synthesis is aware of the potential problem regarding !ζ in state q1.
Halfway synthesis preserves synthesis equivalence as proven in [Paper III].
4.4. EXPERIMENTAL RESULTS 37
G q1
q2 q3
!ζ
α
β
(!υ)
(!µ)
hsupCN {!υ,!µ}(G)
⊥
q1 !ζ
β
Figure 4.9: Automata of Example 15.
G (α)
(β) γγ
T
γ
H (α)
(β) γ
G˜
γ
(α, β) S˜
γ
(α, β)
Figure 4.10: Automata of Example 16.
4.3.4 Partial Supervisors
Whenever the observation equivalence based abstraction are used, the origi-
nal automata are kept as partial supervisor in S. This is critical at the steps
where observation equivalence based abstractions and halfway synthesis are
applied simultaneously. This is illustrated in Example 16.
Example 16 Consider the modular system G = {G, T} in Figure 4.10. All
the events are controllable and events α and β are local events. First, halfway
synthesis is applied on G, resulting in H = hsupCN (G). Next, synthesis
observation equivalence on H results in G˜. Considering S˜ = supCN (G˜ ‖ T )
as the only supervisor results in a supervisor that allows events γ after both α
and β. Allowing γ after α results in a blocking state. In order to enable the
supervisor to make the correct decision H needs to be considered as a partial
supervisor. By considering H to be a part of the supervisor, the supervisor
only allows γ after event β.
4.4 Experimental Results
The algorithms presented in this work has been implemented in DES software
tool Supremica [31] and used to construct modular supervisors for a number
of benchmark examples. The examples used here are the same examples
that are used in [Paper III]. Here, the experimental results of [Paper III] are
38 COMPOSITIONAL SYNTHESIS
extended and also compared to the modular approach of Supremica.
4.4.1 Test Examples
The test cases include complex industrial models and case studies taken
from various application areas such as manufacturing systems and automo-
tive body electronics. All the test cases considered are either uncontrollable,
blocking, or both. Some details about the test cases are given in the follow-
ing.
agv Automated guided vehicle coordination based on the Petri net model
in [28]. To make the example blocking in addition to uncontrollable,
there is also a variant, agvb, with an additional zone added at the
input station.
aip Automated manufacturing system of the Atelier Inter-e´tablissement de
Productique [7]. There are different version of aip. Here the early
version aip0alps and a subsystem aip0sub1p0 are considered.
fencaiwon09 Model of a production cell in a metal-processing plant intro-
duced in [12]. Here two variants are considered fencaiwon09b, which is
blocking and fencaiwon09s, which is both blocking and uncontrollable.
fms2003 Large-scale flexible manufacturing system based on [36].
ftechnik Flexible production cell based on [24]; no controllable and non-
blocking solution exists.
ipc Intertwined product cycles based on [23]. Two types of products are
produced in a manufacturing system with two machines such that the
products must move back and forth between the two machines in op-
posite directions.
tbed Model of a toy railroad system described in [22]. The original model
is tbed-ctct. The blocking model tbed-nonderailb is created accord-
ing to the original specifications and uncontrollable model tbed-uncont
presents an other design.
verriegel Models of the central locking system of a BMW car. There are
two variants, a three-door model verriegel3, and a four-door model
verriegel4. These models are derived from [20].
For most of these models the monolithic approach fails to calculate a
supervisor.
4.4. EXPERIMENTAL RESULTS 39
4.4.2 Heuristics
One crucial issue for compositional algorithms is to decide which automata
to compose. The implementation presented here follows a two-step proce-
dure introduced in [14]. In the first step a set of candidates, i.e., groups of
automata that may be composed, is formed. In the second step the best
candidate is identified. Both the set of candidates, and the “best” candidate
are selected heuristically.
Some of the heuristics for the first step are:
• minT Candidates are all automata pairs containing the automaton with
the fewest transitions.
• mustL For each event σ a candidate is formed by considering all auto-
mata with σ in the alphabet, so σ becomes a local event when composing
the automata of the candidate.
The heuristics for the second step mostly rely on the fact that a high por-
tion of local events increase the possibility of abstraction, and small composed
automata increase the efficiency of the algorithm. The following heuristics
can be used in the second step:
• maxL Choose the candidate with the highest portion of local events.
• maxC Choose the candidate with the highest portion of shared events.
• minS Choose the candidate for which the product of the number of
states of the candidate automata is smallest.
4.4.3 Results
The algorithm described in [Paper III] has been used and the benchmarks
were run on a standard desktop PC using a single core 2.66GHz micropro-
cessor.
In [Paper III] mustL/minS was selected as the best heuristic since per-
sistently good results can be achieved for all the examples. However, here
for different models different heuristics are selected. Different alternatives to
select a heuristic is to optimise time, memory usage or the size of the largest
supervisor. Since time and memory do not differ significantly, the heuristics
are chosen based on the number of states of the largest supervisor component
constructed.
The results of the experiments are shown in Table 4.1. For each model,
the table shows the number of automata (Aut), the number of reachable
states (Size) and whether the model is controllable or nonblocking. Next,
the table shows the total runtime (Time), the total amount of memory used
40 COMPOSITIONAL SYNTHESIS
T
ab
le
4.
1:
C
om
po
si
ti
on
al
sy
nt
he
si
s
T
im
e
M
e
m
.
S
u
p
e
rv
is
o
r
H
e
u
ri
st
ic
M
o
d
e
l
A
u
t
S
iz
e
N
o
n
b
.
C
o
n
t.
[s
]
[M
B
]
N
u
m
.
L
a
rg
e
st
S
te
p
1
S
te
p
2
ag
v
16
2.
6·
10
7
tr
ue
fa
ls
e
0.
25
38
2.
7
6
22
14
m
us
L
m
ax
C
ag
vb
17
2.
3·
10
7
fa
ls
e
fa
ls
e
0.
20
34
6.
9
7
16
80
m
us
L
m
ax
C
ai
p0
35
3.
0·
10
8
fa
ls
e
tr
ue
0.
73
37
0.
2
3
18
m
us
L
m
ax
C
ai
p0
su
b1
p0
46
24
38
6
fa
ls
e
tr
ue
0.
09
33
6.
2
4
1
m
us
L
m
ax
L
fe
nc
ai
w
on
09
b
29
8.
9·
10
7
fa
ls
e
tr
ue
0.
39
38
9.
9
9
14
89
m
us
L
m
ax
C
fe
nc
ai
w
on
09
s
29
2.
9·
10
8
fa
ls
e
fa
ls
e
0.
39
11
0.
0
11
24
85
m
us
L
m
in
S
fm
s2
00
3s
31
1.
4·
10
7
fa
ls
e
tr
ue
27
.8
2
11
1.
1
6
15
64
54
m
us
L
m
in
S
ft
ec
hn
ik
36
1.
2·
10
8
fa
ls
e
fa
ls
e
0.
01
10
9.
2
0
0
m
us
L
m
in
S
ip
c
12
20
59
2
fa
ls
e
fa
ls
e
0.
01
12
0.
4
5
52
9
m
us
L
m
in
S
tb
ed
-c
tc
t
84
3.
1·
10
1
2
fa
ls
e
tr
ue
74
.5
0
14
4.
3
0
0
m
us
L
m
in
S
tb
ed
-n
od
er
ai
lb
84
3.
1·
10
1
2
fa
ls
e
tr
ue
4.
6
28
2.
3
11
78
4
m
in
T
m
ax
L
tb
ed
-u
nc
on
t
84
3.
6·
10
1
2
tr
ue
fa
ls
e
5.
5
38
1.
8
12
44
43
m
us
tL
m
ax
C
ve
rr
ie
ge
l3
b
52
1.
3·
10
9
fa
ls
e
tr
ue
1.
66
12
1.
2
1
4
m
in
T
m
ax
C
ve
rr
ie
ge
l4
b
64
6.
2·
10
1
0
fa
ls
e
tr
ue
4.
5
13
1.
8
1
4
m
in
T
m
ax
C
4.4. EXPERIMENTAL RESULTS 41
(Mem.), the number of supervisors (Num.) and the number of states of the
largest supervisor component constructed (Largest).
All examples have been solved successfully with no more than two minutes
runtime, and never using more than 400MB of memory, even for models with
more than 1012 reachable states. The largest supervisor component in all the
cases except for fms2003s has no more than 5000 and the supervisor can be
constructed efficiently.
It can be interesting to compare the compositional approach with the
modular approach. The result comes from an implementation of the algo-
rithm described in [1], available in Supremica. The result of this comparison
can be found in Table 4.2. The compositional approach were run with dif-
ferent heuristics and for each model the heuristic that results in the smallest
execution time is selected.
It can be seen from Table 4.2 that the modular approach for some cases
is significantly faster than the compositional approach. This is because the
modular approach only guarantees local nonblocking. To calculate a mod-
ular supervisor the connection between the specifications and the plants is
exploited. The calculated supervisor is controllable but not necessarily glob-
ally nonblocking. An additional nonblocking check is needed to ensure non-
blocking. It can be seen from Table 4.2 that the supervisor calculated by
the modular approach in all the cases except for agv variations is globally
blocking.
It can also be observed from Table 4.2 that for different variations of
tbed and aip0sub1p0 the modular approach fails to give a result within 5
minutes. The reason is that the modular approach for these models examines
more states and transitions than necessary [13].
A close look at Table 4.1 and Table 4.2 reveals that when the heuristic
is chosen based on the size of the supervisor, the best strategy to construct
the candidate set is mustL, which ensures at least one local event in the
composed automaton. However, when the heuristic is chosen based on time,
the best heuristic to construct the candidate set is minT, which results in
fewer transitions and consequently better time efficiency of the algorithm.
42 COMPOSITIONAL SYNTHESIS
Compositional Modular
Model Aut Size Time[s] Heuristic Time[s] Nonb.
agv 16 2.6·107 0.25 mustL/maxC 0.08 true
agvb 17 2.3·107 0.20 mustL/maxC 0.02 true
aip0alps 35 3.0·108 0.39 minT/maxC 0.05 false
aip0sub1p0 46 24386 0.09 musL/maxL - -
fencaiwon09b 29 8.9·107 0.14 minT/maxC 0.16 false
fencaiwon09s 29 2.9·108 0.39 mustL/minS 0.06 false
fms2003s 31 1.4·107 26.7 mustL/minS 0.08 false
ftechnik 36 1.2·108 0.01 minT/maxC 0.13 false
ipc 12 20592 0.01 minT/maxC 0.06 false
tbed-ctct 84 3.1·1012 74.50 musL/minS - -
tbed-noderailb 84 3.1·1012 1.87 minT/maxC - -
tbed-uncont 84 3.6·1012 2.24 minT/maxC - -
verriegel3b 52 1.3·109 1.63 minT/maxC 0.26 false
verriegel4b 64 6.2·1010 4.53 minT/maxC 0.16 false
Table 4.2: Compositional approach vs modular approach
Chapter 5
Summary of Included Papers
This chapter provides a brief summary of the papers that are included in the
thesis.
Paper I
Mohajerani, Sahar; Malik, Robi; Ware, Simon; Fabian, Martin:
On the Use of Observation Equivalence in Synthesis Abstraction.
In Proceedings of the 3rd International Workshop on Dependable
Control of Discrete Systems(DCDS’11), June 2011, Saarbru¨cken,
Germany.
The work in this paper deals with strengthening observation equivalence to
be applicable in a compositional synthesis. Three variations of observation
equivalence are proposed that guarantee the construction of a correct mod-
ular supervisor. An example in the paper shows the suitability of these
methods.
Paper II
Mohajerani, Sahar; Malik, Robi; Fabian, Martin: Nondetermin-
ism Avoidance in Compositional Synthesis of Discrete Event Sys-
tems. In Proceedings of IEEE Conference on Automation Science
and Engineering 2011(CASE’11), pp. 19-24, August 2011, Trieste,
Italy.
This paper generalised the compositional approach presented in [Paper I].
In this work renaming is introduced to make it possible to apply abstraction
43
44 SUMMARY OF INCLUDED PAPERS
steps that were not possible in the previous paper due do nondeterminism.
Paper III
Mohajerani, Sahar; Malik, Robi; Fabian, Martin: Compositional
Synthesis of Modular Supervisors Using Synthesis Equivalence.
Submitted to IEEE Transaction on Automatic Control, 2012.
This paper combines and generalises results of the previous papers and
proposes a general framework for calculating a least restrictive controllable
and nonblocking supervisor. In addition, the paper adds formal proofs for
the theorems, new abstraction rules and extensive experimental results.
Chapter 6
Concluding Remarks and Future Work
The state explosion problem is the main obstacle in calculating a supervisor.
It has been proven in [17] that the general synthesis problem is NP-complete.
However many systems are modular, which makes it possible to use the
compositional approach and abstraction to reduce complexity of the system
before synthesis.
The main contribution of this thesis is developing different kinds of ab-
stractions that are guaranteed to preserve the final synthesis result, even
when applied to individual components. These abstraction methods can con-
siderably reduce the amount of states to examine, saving memory and time.
Also in this work, renaming is introduced to avoid nondeterminism and its
associated problems. The computed supervisor is modular in that it typically
consists of several interacting components. The algorithm proposed in this
work has been implemented in the DES software tool Supremica. Experimen-
tal results show that the method successfully computes modular supervisors
for a set of large industrial models.
The compositional approach proposed here does not consider unobserv-
able events in the models. It is likely that more abstractions are possible
considering unobservable events in addition to local events.
The present framework does not support removing transitions besides
local selfloops, since they can not be restored for control decisions. It would
be interesting to generalise the present framework to support abstraction
methods based on removing transitions.
Furthermore, finite-state machines augmented with bounded integer vari-
ables show good modelling potential, and it would seem useful to adapt the
described compositional synthesis approach to work directly with this type
of modelling formalism.
45

Bibliography
[1] K. Åkesson, H. Flordal, and M. Fabian. Exploiting modularity for
synthesis and verification of supervisors. In Proc. 15th IFAC World
Congress on Automatic Control, Barcelona, Spain, 2002.
[2] Knut Åkesson, Martin Fabian, Hugo Flordal, and Robi Malik.
Supremica—an integrated environment for verification, synthesis and
simulation of discrete event systems. In Proc. 8th Int. Workshop on
Discrete Event Systems, WODES ’06, pages 384–385, Ann Arbor, MI,
USA, July 2006.
[3] A. Arnold. Finite Transitions Systems: Semantics of Communicating
Systems. Prentice-Hall, 1994.
[4] A. Aziz, V. Singhal, G. M. Swamy, and R. K. Brayton. Minimizing
interacting finite state machines: A compositional approach to language
containment. In Proc. Int. Conf. Computer Design, 1994.
[5] G. Bouzon, M. H. de Queiroz, and J. E. R. Cury. Exploiting distin-
guishing sensors in supervisory control of DES. In Proc. 7th Int. Conf.
Control and Automation, ICCA ’09, pages 442–447, Christchurch, New
Zealand, December 2009.
[6] B. A. Brandin, R. Malik, and P. Dietrich. Incremental system verifica-
tion and synthesis of minimally restrictive behaviours. In 2000 American
Control Conf., pages 4056–4061, Chicago, IL, USA, 2000.
[7] Bertil Brandin and François Charbonnier. The supervisory control of the
automated manufacturing system of the AIP. In Proc. Rensselaer’s 4th
Int. Conf. Computer Integrated Manufacturing and Automation Tech-
nology, pages 319–324, Troy, NY, USA, 1994.
[8] C. G. Cassandras and S. Lafortune. Introduction to Discrete Event
Systems. Kluwer, September 1999.
47
48 BIBLIOGRAPHY
[9] C. G. Cassandras, S. Lafortune, and G. J. Olsder. Introduction to
the modelling, control, and optimization of discrete event systems. In
A. Isidori, editor, Trends in Control, pages 217–292. Springer, 1995.
[10] E. M. Clarke, D. E. Long, and K. L. McMillan. Compositional model
checking. In Proc. 5th IEEE Symp. Logic in Computer Science, pages
353–362, 1989.
[11] J. E. R. Cury. Modular supervisory control of large scale discrete
event systems. In R. Boel and G. Stremersch, editors, Discrete Event
Systems—Analysis and Control, pages 103–110. Springer, 2000.
[12] Lei Feng, Kai Cai, and W. M. Wonham. A structural approach to the
non-blocking supervisory control of discrete-event systems. Int. J. Adv.
Manuf. Technol., 41:1152–1168, 2009.
[13] Hugo Flordal. Compositional Approaches in Supervisory Control. PhD
thesis, Chalmers University of Technology, Göteborg, Sweden, 2006.
[14] Hugo Flordal and Robi Malik. Compositional verification in supervisory
control. SIAM J. Control and Optimization, 48(3):1914–1938, 2009.
[15] Hugo Flordal, Robi Malik, Martin Fabian, and Knut Åkesson. Compo-
sitional synthesis of maximally permissive supervisors using supervision
equivalence. Discrete Event Dyn. Syst., 17(4):475–504, 2007.
[16] A. Giua and F. DiCesare. Petri net structural analysis for supervisory
control. IEEE Trans. Robot. Autom., 10(2):185–195, April 1994.
[17] P. Gohari and W. M. Wonham. On the complexity of supervisory control
design in the RW framework. IEEE Trans. Syst., Man, Cybern., August
2000.
[18] Michael Heymann and Feng Lin. Discrete event control of nondetermin-
istic systems, 1997.
[19] C. A. R. Hoare. Communicating Sequential Processes. Prentice-Hall,
1985.
[20] http://www4.in.tum.de/proj/korsys/.
[21] R. Kumar and M. A. Shayman. Centralized and decentralized super-
visory control of nondeterministic systems under partial observation.
SIAM J. Control and Optimization, 35(2):363–383, March 1997.
[22] R. J. Leduc. PLC implementation of a DES supervisor for a manufac-
turing testbed: An implementation perspective. Master’s thesis, Dept.
of Electrical Engineering, University of Toronto, ON, Canada, 1996.
BIBLIOGRAPHY 49
[23] Feng Lin and W. Murray Wonham. Decentralized control and coordi-
nation of discrete-event systems with partial observation. IEEE Trans.
Autom. Control, 35(12):1330–1337, December 1990.
[24] Annette Lötzbeyer and R. Mühlfeld. Task description of a flexible pro-
duction cell with real time properties. Technical report, FZI, Karlsruhe,
Germany, 1996.
[25] Petra Malik, Robi Malik, David Streader, and Steve Reeves. Modular
synthesis of discrete controllers. In Proc. 12th IEEE Int. Conf. Engineer-
ing of Complex Computer Systems, ICECCS ’07, pages 25–34, Auckland,
New Zealand, 2007.
[26] Robi Malik and Hugo Flordal. Yet another approach to compositional
synthesis of discrete event systems. In Proc. 9th Int. Workshop on Dis-
crete Event Systems, WODES ’08, pages 16–21, Göteborg, Sweden, May
2008.
[27] Robin Milner. Communication and concurrency. Series in Computer
Science. Prentice-Hall, 1989.
[28] John O. Moody and Panos J. Antsaklis. Supervisory Control of Discrete
Event Systems Using Petri Nets. Kluwer, 1998.
[29] Peter J. G. Ramadge and W. Murray Wonham. The control of discrete
event systems. Proc. IEEE, 77(1):81–98, January 1989.
[30] Rong Su, Jan H. van Schuppen, and Jacobus E. Rooda. Model abstrac-
tion of nondeterministic finite-state automata in supervisor synthesis.
IEEE Trans. Autom. Control, 55(11):2527–2541, November 2010.
[31] Supremica. www.supremica.org. The official website for the Supremica
project.
[32] Simon Ware and Robi Malik. The use of language projection for compo-
sitional verification of discrete event systems. In Proc. 9th Int. Workshop
on Discrete Event Systems, WODES ’08, pages 322–327, Göteborg, Swe-
den, May 2008.
[33] Simon Ware and Robi Malik. Compositional nonblocking verification
using annotated automata. In Proc. 10th Int. Workshop on Discrete
Event Systems, WODES ’10, pages 374–379, Berlin, Germany, 2010.
[34] W. M. Wonham and P. J. Ramadge. Modular supervisory control of
discrete event systems. Math. Control, Signals and Systems, 1(1):13–30,
January 1988.
[35] Changyan Zhou and Ratnesh Kumar. A small model theorem for bisim-
ilarity control under partial observation. In Proc. American Control
Conf. 2005, pages 3937–3942, Portland, OR, USA, August 2005.
50 BIBLIOGRAPHY
[36] Meng Chu Zhou, Frank Dicesare, and Daryl L. Rudolph. Design and im-
plementation of a Petri net based supervisor for a flexible manufacturing
system. Automatica, 28:1199–1208, November 1992.
Part II
Publications
51

