Modular synthesis of discrete controllers by Malik, Petra et al.
Modular Synthesis of Discrete Controllers
Petra Malik Robi Malik David Streader Steve Reeves
Department of Computer Science, University of Waikato
Hamilton, New Zealand
{petra,robi,dstr,stever}@cs.waikato.ac.nz
Abstract
This paper presents supervisory control theory in a
process-algebraic setting, and proposes a way of synthesis-
ing modular supervisors that guarantee nonblocking. The
framework used includes the possibility of hiding actions
which results in nondeterminism. As modularity crucially
depends on the process equivalence used, the paper stud-
ies possible equivalences and points out that, in order to
be consistent with respect to the nonblocking property and
to supervisor synthesis, a conflict-preserving equivalence
must be used. It applies the results to synthesise nonblock-
ing modular supervisors for a manufacturing system.
1 Introduction
Many technical devices in use today are controlled by
computer software that is reactive in nature, i.e., software
that needs to maintain a continuous interaction with its en-
vironment. Such software is not only used for everyday
household equipment, but also for sophisticated transport or
manufacturing systems; application areas include automo-
tive and aircraft electronics, chemical processing plants, and
medical equipment. Many of these applications are highly
safety-critical: an error in the control software may cause
a failure of the system, incurring serious financial conse-
quences or even loss of human life.
Reactive systems interact in a much more complex way
than traditional software, which runs once to compute its
output from a given input. This makes reactive systems very
hard to understand and to get right. With the software com-
plexity continuously increasing over the past decades, the
need for formal methods and tools to support engineers in
the development of fault-free reactive software has become
obvious. Building such tools requires sound mathematical
models to describe and understand the dynamics of reactive
system behaviour.
This paper compares and combines two approaches for
modelling reactive systems that come from quite different
backgrounds, namely supervisory control theory of discrete
event systems, developed by control engineers, and process
algebras, developed within the computer science commu-
nity.
Consider a small manufacturing system that consists of
two devices running in parallel and linked by a two-place
buffer. The first device, called handler, fetches a workpiece
and then puts it into the buffer, from where the second de-
vice can collect it for further processing. A controller to
ensure that the buffer does not overflow can simply prevent
the handler from putting a workpiece into the buffer when
the buffer is full. Now assume further that the controller
can only influence the fetching. Once the handler has got
a workpiece, it cannot be prevented from placing it into the
buffer. What does the controller need to look like in this
scenario? Can buffer overflow be prevented more indirectly,
by controlling the fetching, for example? This is the sort of
problem supervisory control theory can solve.
While it is not too difficult to develop a controller for the
small example given above, the task gets quickly involved
when considering manufacturing plants with different sorts
of devices, buffers, and workpieces. Soon, the controllers
get huge and incomprehensible for humans, and for more
complex examples even unmanageable for a computer. Re-
search in process algebra has focused on general ways of
composing systems, and to abstract or hide aspects of a sys-
tem that are irrelevant in a particular context. This allows
the modelling of and reasoning about very large and com-
plex systems in a modular way. Combined with the features
and methodologies of supervisory control theory, this pro-
vides a powerful modelling framework for reactive control
software.
In the following, section 2 introduces the relevant con-
cepts and notations from supervisory control theory and
process algebra. In section 3, supervisory control synthesis
is extended to handle the nondeterministic framework con-
sidered in this paper. Section 4 explains the idea of mod-
ular synthesis using the example of a manufacturing sys-
tem. Section 5 presents the main results and shows that
congruence and thus modularity can be achieved by using a
1
conflict-preserving equivalence. In section 6, these results
are applied to synthesise a modular supervisor for the man-
ufacturing system. Finally, section 7 discusses some related
work, and section 8 closes with some concluding remarks.
2 Notation
2.1 Languages
Traces and languages are simple means to describe re-
active system behaviours. Their basic building blocks are
actions, also called events, which are taken from a finite al-
phabet A.
There are two special actions: the hidden action τ and
the termination action ω. The hidden action τ is commonly
used in process algebras to describe behaviour that is in-
ternal to the system being modelled, that is, behaviour that
cannot be observed or controlled by other systems or sys-
tem components. The termination action ω is introduced to
describe the concept of blocking from supervisory control
theory. The two actions τ and ω do not belong to A, if
they are to be included, the alphabets Aτ = A ∪ {τ} and
Aω = A ∪ {ω} are used instead.
A∗ denotes the set of all finite strings or traces of the
form α1α2 · · ·αk of actions from A, including the empty
trace ε. A language over A is any subset L ⊆ A∗. The
concatenation of two traces s, t ∈ A∗ is written as st.
The concatenation of languages L1, L2 ⊆ A∗ is defined
as L1L2 = { st ∈ A
∗ | s ∈ L1 and t ∈ L2 }. The prefix-
closure L of L ⊆ A∗ is the set of all prefixes of traces in L,
L = { s ∈ A∗ | st ∈ L for some t ∈ A∗ }. A language L is
called prefix-closed if L = L.
2.2 Processes
Processes are modelled using nondeterministic labelled
transition systems P = (A, Q,→ , Q◦, Qω), where A is the
alphabet of actions, Q is the set of states, → ⊆ Q×Aτ ×Q
is the transition relation, Q◦ ⊆ Q is the set of initial states,
and Qω ⊆ Q is the set of terminal states.
Processes are represented graphically as shown in fig-
ure 1: states are represented as nodes, with the initial state
highlighted by a thick border and terminal states shaded
grey. The transition relation is represented by labelled
edges. Process Handleri in figure 1, for example, mod-
els a simple device that fetches a workpiece and then puts
it somewhere else. Process Bufferi models a two-place
buffer.
Supervisory control theory uses the set Qω of terminal
states to represent the possibility of successful termination.
Process Handleri shown in figure 1, for example, may
successfully terminate only if it is idle. To translate this into
a process-algebraic action representation, every process is
put
i
fetchi
idle working
get
i
put
i
put
i
get
i
put
i
get
i
get
i
put
i
b0
b1
b2
broken
Handleri Bufferi
Figure 1. Processes for a small factory sys-
tem.
assumed to have a terminal state ⊥ ∈ Q \ Qω , from which
there are no outgoing transitions. Then the transition rela-
tion is extended by adding transitions
qω
ω
→ ⊥ for each qω ∈ Qω . (1)
This construction makes it possible to represent termination
only by means of the termination action ω which, if it oc-
curs, is always the last action of a trace.
The action-labelled transition relation → is further ex-
tended to a transition relation ⇒ ⊆ Q × A∗ω × Q labelled
with traces,
q
ε
⇒ q′ if q = q1
τ
→ · · ·
τ
→ qn = q
′
for some q1, . . . , qn ∈ Q; (2)
q
sα
⇒ q′ if q s⇒ qs
α
→ qsα
ε
⇒ q′
for some qs, qsα ∈ Q. (3)
The set of all processes with action alphabet A is de-
noted by ΠA. The transition relation is also defined for pro-
cesses, denoting by
P
s
⇒ P ′ (4)
that process P ∈ ΠA evolves into P ′ ∈ ΠA by executing
actions s ∈ A∗. This is defined as
(A, Q,→ , Q◦, Qω)
s
⇒ (A, Q,→ , {q}, Qω) (5)
if q◦ s⇒ q for some q◦ ∈ Q◦. The notation P s⇒ means that
P
s
⇒ P ′ for some P ′ ∈ ΠA.
The possible behaviours of a process are defined by the
set of action sequences or traces it can execute. The lan-
guage L(P ) of P ∈ ΠA is defined as
L(P )
def
= { s ∈ A∗ω | P
s
⇒} . (6)
L(P ) is prefix-closed and contains all complete or incom-
plete traces that can be executed by a process, including or
2
get
i
put
i
fetchiget
i
fetchi
get
i
put
i
get
i
get
i
fetchi
get
i
fetchi
put
i
get
i
get
i
put
i
i0
w0
i1 w1
i2
w2
wbib
Handleri ‖Bufferi
Figure 2. Synchronous composition of fig-
ure 1.
not including the termination action ω. In traditional su-
pervisory control theory, the set of complete behaviours is
described by a separate marked language; in this paper, the
possibility of termination is indicated by the presence of ω
in the language L(P ) of a process instead.
Note that for every prefix-closed language L there exists
a deterministic process P such that L = L(P ). The con-
struction of this process is straightforward. In the follow-
ing, a prefix-closed language is identified with its accepting
deterministic process and used in places where a process is
expected.
When several processes are running in parallel, lock-
step synchronisation in the style of [7] is used. The syn-
chronous composition P1 ‖ P2 of two processes P1 =
(A1, Q1,→1 , Q
◦
1, Q
ω
1 ) and P2 = (A2, Q2,→2 , Q◦2, Qω2 )
is defined as
P1 ‖P2
def
= (A1∪A2, Q1×Q2,→ , Q
◦
1×Q
◦
2, Q
ω
1 ×Q
ω
2 ) ,
(7)
where
• (q1, q2)
α
→ (q′1, q
′
2)
if α ∈ A1 ∩A2 and q1
α
→1 q
′
1 and q2
α
→2 q
′
2;
• (q1, q)
α
→ (q′1, q)
if α ∈ (A1 \A2) ∪ {τ} and q1
α
→1 q
′
1;
• (q, q2)
α
→ (q, q′2)
if α ∈ (A2 \A1) ∪ {τ} and q2
α
→2 q
′
2.
The process in figure 2 is the synchronous composition
of the two processes given in figure 1, but the state names
have been shortened.
Furthermore, a process-algebraic hiding or internalisa-
tion operator is introduced in the standard way [16, 18].
Given a process P ∈ ΠA, the result of hiding actions
A′ ⊆ A is denoted by P \A′. The process P \A′ ∈ ΠA\A′
fetchi
put
i
get
i
fetchi
put
i
get
i fetchi
b0 b2b1
Ci
Figure 3. A candidate supervisor.
is constructed from P by replacing every occurrence of an
action in A′ by the hidden action τ .
2.3 Controllability and Nonblocking
Controllability and nonblocking are concepts from su-
pervisory control theory, presented in this section in a pro-
cess algebraic setting. Controllability is motivated by the
observation that control software can sometimes observe
certain actions, like those associated to sensors, but cannot
directly influence them. The nonblocking property makes
sure that a system can always complete its task.
Supervisory control theory distinguishes between the
system to be controlled, called the plant or environment,
and the system that executes control, called the supervisor
or controller. The supervisor interacts with the plant by dis-
abling certain actions to achieve its control objectives.
However, the supervisor cannot control all actions. The
alphabet of actions is partitioned into controllable actions
and uncontrollable actions. A controllable action can be
prevented from occurring by the supervisor, while an un-
controllable action cannot. The question arises whether a
certain behaviour, given as a language, can be achieved by
means of supervision. Such languages are called control-
lable [14].
Definition 2.1 Let L,K ⊆ A∗ω be two prefix-closed lan-
guages, and let U ⊆ A be the set of uncontrollable ac-
tions. K is said to be U-controllable with respect to L if
KU ∩ L ⊆ K.
If a language K is controllable with respect to a plant
behaviour L, then any uncontrollable action that is possible
in the plant must also be possible in K. Clearly, K must
not disallow an uncontrollable action to occur if it is phys-
ically possible in the plant, because no supervisor can stop
uncontrollable actions from occurring.
Consider the language K given by the transition system
in figure 3, which represents an attempt to build a supervisor
to control the behaviour of the process in figure 2. K is not
{puti}-controllable with respect to the language L given by
figure 2 since fetchiputifetchiputifetchiputi is contained
in KU and L but not in K.
In addition to controllability, supervisors are required to
perform some minimum functionality. In supervisory con-
3
trol theory, this is achieved by imposing a weak liveness
condition, called nonblocking. It is required that the system
is always able to complete its tasks, where completion of
tasks can be represented using the set Qω of terminal states
of a process, or equivalently by the termination action ω.
Definition 2.2 A process P ∈ ΠA is said to be nonblocking
if for every trace s ∈ A∗ and every P ′ ∈ ΠA such that P
s
⇒
P ′ there exists a trace t ∈ A∗ such that P ′ tω⇒. Otherwise P
is said to be blocking.
This definition is based on an implicit fairness assump-
tion: the possibility of divergence is not considered as a
problem. In order to be nonblocking, it is sufficient that
every incomplete task can somehow be completed. As an
example, process Handleri in figure 1 is nonblocking,
whereas process Bufferi is blocking, because it is not pos-
sible to reach any terminal state from state broken.
3 Supervisory Control Synthesis
In traditional supervisory control theory, the plant is
modelled as a generator of a language over an alphabet of
actions, and the supervisor is a mapping from this language
to the set of disabled or enabled actions. In an algebraic
setting, plant and supervisor are considered to be processes.
Given a plant P ∈ ΠA and a supervisor C ∈ ΠA, the con-
trolled behaviour of the plant under supervision is given by
P ‖ C. The supervisor is assumed to be deterministic. The
plant, and therefore also the controlled system P ‖ C, may
be nondeterministic. This is a natural extension to the de-
terministic setting of traditional supervisory control theory.
The objective of supervisory control is to construct a su-
pervisor for a given plant that meets certain control objec-
tives. These control objectives are typically given as a spec-
ification language, representing the allowed behaviour of
the system which must not be exceeded under any circum-
stances [15]. This paper adopts the viewpoint of [3] where
it is shown that all control objectives can be expressed in
terms of nonblocking. For example, a supervisor for plant
Bufferi in figure 1 has to prevent the process from entering
state broken, because it would be blocking otherwise.
Given a plant P ∈ ΠA, the supervisory control problem
therefore is to find a supervisor C ∈ ΠA such that P ‖ C
is nonblocking. Furthermore, the supervisor C must not
prevent uncontrollable actions from occurring, i.e., C must
be controllable with respect to P . Thus, the supervisory
control problem now consists of finding a supervisor within
the following set of possible solutions.
Definition 3.1 Let U ⊆ A be the set of uncontrollable ac-
tions. Define
CU(P )
def
= {C ⊆ L(P ) | C is U-controllable with
respect to L(P ) and P ‖ C is non-
blocking } .
(8)
Supervisory control theory provides means to compute
a behaviour that can be achieved by a supervisor as a lan-
guage C ⊆ A∗ω . This language can be used to implement
the actual supervisor as a process, simply by using a deter-
ministic acceptor of the language.
An automatic synthesis algorithm must select one solu-
tion from CU(P ). Supervisory control theory tries to iden-
tify a solution that restricts the plant as little as possible. But
from the definition of CU(P ) it is not immediately obvious
whether such a least restrictive element exists. Therefore, it
is now proven that the set CU(P ) is closed under union of
languages. Since this is already known for controllability, it
suffices to consider the nonblocking condition. The follow-
ing proposition extends the known result from [15] to the
nondeterministic case considered here.
Proposition 3.1 Let P ∈ ΠA be a process, and let (Ci)i∈I
be a family of languages over the alphabet Aω . If P ‖Ci is
nonblocking for all i ∈ I , then P ‖
⋃
i∈I Ci is nonblocking.
Proof. Let P ‖ Ci be nonblocking for each i ∈ I . Con-
sider s ∈ A∗ and P ′, C ′ ∈ ΠA such that P
s
⇒ P ′
and
⋃
i∈I Ci
s
⇒ C ′. Since
⋃
i∈I Ci
s
⇒, it follows that
s ∈
⋃
i∈I Ci. Therefore, there exists k ∈ I such that
s ∈ Ck. Since P ‖ Ck is nonblocking, there exists t such
that P ′ tω⇒ and stω ∈ Ck ⊆
⋃
i∈I Ci. This proves that
P ‖
⋃
i∈I Ci is nonblocking. 
It follows that CU(P ) is closed under union of lan-
guages. Therefore, this set contains a unique supremal ele-
ment which can be used as a result of a supervisory synthe-
sis algorithm.
Definition 3.2 Let U ⊆ A and P ∈ ΠA. Then the synthe-
sis result for P with respect to U is given by
sup CU(P ) =
⋃
CU(P ) . (9)
The synthesis result for a given plant process P is a lan-
guage, which can also be interpreted as a deterministic pro-
cess, called supervisor. Running the plant and supervisor
processes together yields a process whose behaviour is non-
blocking. Furthermore, the supervisor never disables un-
controllable actions that are physically possible, and is least
restrictive in the sense that it disables as few controllable
actions as possible.
As an example, consider figure 1 once more. The two
processes shown here model the plant behaviour of a small
4
put
i
get
i
fetchi
get
i
fetchi
get
i
put
i
i0
w0
i1 w1
i2
Si = sup CU(Handleri ‖Bufferi)
Figure 4. Controller for the small factory.
factory consisting of a handler and a buffer. The handler
fetches a workpiece (action fetchi) and, when done, puts it
into the buffer (action puti), from where it can be collected
(action geti). The buffer itself cannot prevent overflow or
underflow so a controller is required that ensures safe usage.
If a controller can prevent the physical device from
putting a workpiece into the buffer, the process Ci in fig-
ure 3 can be used as a controller. Running the controller in
parallel with the plant
Handleri ‖Bufferi ‖ Ci (10)
results in a nonblocking system where the buffer never over-
flows or underflows.
However, if the handler cannot be prevented from putting
workpieces into the buffer (puti is uncontrollable), the pro-
cess Ci is not a feasible controller because it is trying to
disable the uncontrollable action puti when the buffer is
full. Although the composition (10) remains nonblocking,
the requirement of controllability rules out this behaviour as
potential supervisor. In this case, supervisory control syn-
thesis can be used to compute a least restrictive supervisor.
The result is shown in figure 4.
This process can be automatically computed from the
synchronous composition of the two plants, which is shown
in figure 2. To ensure nonblocking, a would-be supervisor
has to prevent the plant from entering states ib and wb. This
can be achieved by disabling the controllable transitions la-
belled geti originating from states i0 and w0. However, the
transition labelled puti from state w2 is uncontrollable and
therefore cannot be disabled by a supervisor. Therefore, this
state also must be considered as unsafe, because the plant
can always execute the uncontrollable action puti, and thus
enter a blocking state. To ensure safe behaviour, a supervi-
sor also has to prevent this state from being reached. This
can be achieved by disabling the controllable transition la-
belled fetchi in state i2. The resultant behaviour is control-
lable and nonblocking, and is shown in figure 4.
fetch2
output
1
get3
get4
input
1
fetch1
idle
op11 op31
op22
fetch3
output
2
fetch4
input
2
get2
get1
idle
op12 op32
op21
Mach1 Mach2
Figure 6. The machine processes.
4 A Modular Manufacturing System
The results presented so far can be used to synthesise
controllers for relatively small examples only. The synthe-
sis algorithm needs to compute the parallel composition of
all the components to create the supervisor, which is not
feasible for systems consisting of many components. Us-
ing the manufacturing system presented in [9], this section
discusses how systems and controllers can be modelled and
designed in a modular way. Modularity makes it possible to
abstract away information that is not relevant in a particular
context and thus makes it possible to handle huge systems.
Figure 5 gives an overview of the manufacturing sys-
tem. It consists of two machines (Mach1 and Mach2)
for processing workpieces and four subsystems (Subi, i =
1, . . . , 4) for moving and buffering workpieces in transit be-
tween the machines. Each subsystem consists of a buffer
(Bufferi) that can store up to two workpieces, and a han-
dler (Handleri) that fetches a workpiece from a machine
and puts it into the buffer.
The manufacturing system can produce two types of
workpieces. Type I workpieces are first processed by
Mach1 (action input1). Then they are passed through
Sub1: they are fetched by Handler1 (fetch1) and placed
into Buffer1 (put1). Next, they are processed by Mach2
(get1), fetched by Handler4 (fetch4) in Sub4 and placed
into Buffer4 (put4). Finally, they are processed by Mach1
once more (get4), and released (output1). Similarly, type II
workpieces are first processed by Mach2, passed through
Sub3, further processed by Mach1, passed through Sub2,
and finally processed by Mach2. The behaviour of the ma-
chines is formalised in figure 6. The subsystems are mod-
elled in figure 1; the index i should be instantiated with the
number of the subsystem considered.
There are several requirements that the controlled sys-
tem is expected to satisfy. Firstly, the buffers must never
overflow nor underflow taking into account that actions puti
are uncontrollable. Another requirement is given as process
Toplevel in figure 7, which is slightly stronger than in the
original example [9]. It requires that the manufacturing sys-
tem should produce type I and II workpieces in alternating
sequence, starting with a type I workpiece. The objective
to avoid blocking is also included—the initial state of the
5
output1
get1 get2 fetch3 fetch4
input
2
output
2
Sub1 Sub2 Sub3
put
1
put
2 put
3
fetch1 fetch2 get3 get4
input1
Sub4
put
4
Handler1 Handler2
Buffer1 Buffer2
Mach2
Mach1
Buffer3
Handler3
Buffer4
Handler4
Figure 5. Manufacturing system example
output
1
output
2
output
1
output
2
output
2
output
1
broken
t1t0
Toplevel
Figure 7. Top-level specification.
system must always remain reachable. This is not guaran-
teed in the original example: the solution given in [9] can
deadlock by simply filling up all the buffers and machines.
The buffer requirements are ideally suited for a modular
synthesis since they affect only a few components of the
system. Only actions puti and geti need to be controlled
to ensure that process Bufferi does not reach state broken.
Since the only uncontrollable actions, puti, can only occur
after fetchi, it is sufficient to control action fetchi to prevent
undesired puti actions. Thus, a controller for buffer i only
needs to observe actions fetchi, puti, and geti; it does not
need to care about any other actions and how the rest of the
system behaves. Therefore, a supervisor Si for Subi can
be computed from the plants concerned,
Si = sup CU(Handleri ‖Bufferi) (11)
where U = {puti}. This construction has been discussed
in section 3, and the result is shown in figure 4.
The subsystems
Handleri ‖Bufferi ‖ Si (12)
can now be considered black-boxes [18] for which only the
externally observable behaviour is of interest. Figure 5 sug-
gests that actions puti can be considered as private commu-
nication between the handler, buffer, and local supervisor—
they are not used anywhere else and thus do not need to be
observable from the outside. These actions can be replaced
by the hidden action τ . The black-box behaviour of the sub-
systems is thus given by
Subi = (Handleri ‖Bufferi ‖ Si) \ {puti} . (13)
Hiding the internal actions in the subsystems alone does
not bring much advantage since the size of the transition
systems remains the same. However, often a transition sys-
tem containing hidden actions captures more information
than is necessary, and this information can be abstracted
away.
5 Congruence Results
Abstraction and process equivalence are the key to mod-
ular modelling and analysis of large-scale systems. Given
a system consisting of several components, the idea is to
replace individual components by simpler equivalent ones,
such that the crucial properties of the whole system are pre-
served.
There are different ways how two processes may be con-
sidered as equivalent. Traditional supervisory control the-
ory uses deterministic processes and compares them accord-
ing to their languages. This leads to a simple equivalence,
known as trace equivalence in process algebra.
Definition 5.1 Two processes P1, P2 ∈ ΠA are said to
be trace equivalent if their languages are equal, i.e., if
L(P1) = L(P2).
When considering nondeterministic behaviour, there are
various other ways how processes can be considered as
6
P1 P2
α
β
α
α
q0
q1
q2
q3
αα
α
β
α
α q4
q0
q3
q2
q1
Figure 8. Two trace equivalent processes that
do not have the same synthesis result.
equivalent, and other equivalence relations ' ⊆ ΠA × ΠA
become of interest. Research in process algebra has identi-
fied, examined, and compared such relations—see [19] for
a nice overview.
An important property of process equivalences is to be
a congruence with respect to the operators used. Congru-
ences guarantee that, if a component of a system is replaced
by an equivalent one, the behaviour of the resulting system
remains equivalent to the behaviour of the original system.
This is the key property that makes modular reasoning pos-
sible.
Definition 5.2 Let ' ⊆ ΠA × ΠA be an equivalence rela-
tion.
• ' is called a congruence with respect to synchronous
composition, if P1 ' P2 implies P1 ‖Q ' P2 ‖Q for
every process Q ∈ ΠA.
• ' is called a congruence with respect to hiding if P1 '
P2 implies P1 \A′ ' P2 \A′ for each A′ ⊆ A.
• ' is called a congruence with respect to synthesis, if
P1 ' P2 implies sup CU(P1) ' sup CU(P2).
The synthesis operator sup CU can be used to compute
new processes, i.e. supervisors, from existing ones, i.e. the
processes to be controlled. For such an application of syn-
thesis to be feasible, the underlying process equivalence has
to be a congruence with respect to synthesis.
Not all equivalences satisfy this property. For example,
figure 8 shows two trace equivalent processes P1 and P2,
for which the synthesis results are quite different. Assum-
ing all actions are controllable, the synthesis result for P1
is L(P1), while the synthesis result for P2 is empty. This
proves that trace equivalence is not a congruence with re-
spect to synthesis. The given example can also be used to
show that traditional equivalences like ready-traces, failure
traces, trajectories, and failures [19] are not a congruence
with respect to synthesis.
It is of interest to see what kind of process equiva-
lence would be a congruence with respect to synthesis. A
closer inspection of the synthesis operator shows that it
has only one aspect that poses problems as far as congru-
ence is concerned—the requirement that the synthesis re-
sult be nonblocking. Indeed, this requirement means that
the underlying equivalence must preserve conflicts in order
to guarantee congruence.
Definition 5.3 An equivalence ' on ΠA is said to preserve
conflicts if P1 ' P2 implies that P1 ‖ T is blocking if and
only if P2 ‖ T is blocking, for all T ∈ ΠA.
Two processes that are equivalent with respect to a
conflict-preserving equivalence behave equally with respect
to blocking in combination with an arbitrary test process. If
one of them is blocking with some test, so must the other
be. The following result shows that any conflict-preserving
equivalence is a congruence with respect to synthesis.
Theorem 5.1 Let ' be an equivalence on ΠA that pre-
serves conflicts. Then, P 1 ' P2 implies sup CU(P1) =
sup CU(P2).
Proof. Let ' be an equivalence on ΠA that preserves
conflicts, and let P1 ' P2. It is sufficient to prove
that sup CU(P1) ⊆ sup CU(P2). Therefore, let C =
sup CU(P1), and show that C is U-controllable with respect
to L(P2), and P2 ‖ C is nonblocking.
To see that C is U-controllable with respect to L(P2),
assume there is s ∈ C and υ ∈ U such that sυ ∈ L(P2)
and sυ /∈ C. Since C is the synthesis result for P1, C is U-
controllable with respect to L(P1), i.e., CU ∩ L(P1) ⊆ C.
Therefore, sυ /∈ L(P1). Let T be a deterministic process
with L(T ) = {sυ} ∪ C. Then T sυ⇒ F where F ∈ ΠA is
the process that refuses all actions. Since C is the synthesis
result for P1, P1 ‖ C is nonblocking. Because sυ /∈ L(P1),
it follows by construction that P1 ‖ T is also nonblocking.
But P2 ‖ T is blocking since sυ ∈ L(P2) and therefore
P2 ‖ T
sυ
⇒ F . This contradicts the assumption that P1 ' P2
and ' preserves conflicts.
To see that P2 ‖ C is nonblocking, first note that P1 ‖ C
is nonblocking. Since P1 ' P2 and because ' preserves
conflicts, P2 ‖ C is nonblocking. 
An equivalence used for modular composition of pro-
cesses as suggested above should also be a congruence with
respect to all the other operators used to model a system.
This usually includes synchronous composition and hiding.
If the equivalence already is a congruence with respect to
synchronous composition, we can use the results from [10]
to weaken the requirement of definition 5.3. In this case, it
is sufficient to require that the equivalence preserves block-
ing.
7
Definition 5.4 An equivalence ' on ΠA is said to preserve
blocking if P1 ' P2 implies that P1 is blocking if and only
if P2 is blocking.
Proposition 5.2 Let ' be an equivalence on ΠA that is a
congruence with respect to synchronous composition and
preserves blocking. Then ' preserves conflicts.
Proof. Let P1 ' P2, and let T ∈ ΠA. Since ' is a congru-
ence with respect to synchronous composition, it holds that
P1 ‖ T ' P2 ‖ T . Since ' preserves blocking, it follows
that P1 ‖T is blocking if and only if P2 ‖T is blocking. 
Thus, any process equivalence that is a congruence with
respect to synchronous composition and respects block-
ing can be used for modular reasoning with the supervi-
sor synthesis operator. Such equivalences exist. Indeed,
definition 5.3 can be used directly to define an appropri-
ate equivalence—conflict equivalence, the coarsest conflict-
preserving equivalence [10]. Conflict equivalence is the
coarsest equivalence that preserves blocking and is a con-
gruence with respect to synchronous composition. Its main
properties are repeated here for the sake of completeness.
Definition 5.5 (from [10]) Two processes P1, P2 ∈ ΠA are
conflict equivalent, written P1 'conf P2, if it holds for ev-
ery test T ∈ ΠA that P1 ‖ T is nonblocking if and only if
P2 ‖ T is nonblocking.
Proposition 5.3 'conf is a congruence with respect to ‖
and respects blocking.
Proof (from [10]). First, let P1 'conf P2 and T ∈ ΠA. To
see that P1 ‖ T 'conf P2 ‖ T , let T ′ ∈ ΠA be a test such
that (P1 ‖ T ) ‖ T ′ is nonblocking. Then P1 ‖ (T ‖ T ′) =
(P1 ‖ T ) ‖ T
′ is nonblocking, and since P1 'conf P2, it
follows that (P2 ‖ T ) ‖ T ′ = P2 ‖ (T ‖ T ′) is nonblocking.
Therefore, 'conf is a congruence with respect to ‖.
Second, note that there exists a process UA ∈ ΠA such
that P ‖ UA = P for every P ∈ ΠA. Let P1 'conf P2, and
let P1 be nonblocking. Then P1 ‖UA = P1 is nonblocking.
Since P1 'conf P2, it follows that P2 = P2 ‖ UA is non-
blocking. Thus, 'conf respects blocking. 
Conflict equivalence furthermore can be shown to be a
congruence with respect to hiding and other operators. To-
gether with theorem 5.1, this implies that it is the coars-
est equivalence that is a congruence with respect to syn-
chronous composition, hiding, and synthesis, making it an
ideal candidate for modular reasoning in supervisory con-
trol as suggested here.
τ
get
i
fetchi
get
i
fetchi
get
i
τ
i0
w0
i1 w1
i2
get
i fetchi
get
i fetchi
s0
s1
s2
Subi Sub
′
i
Figure 9. Simplifying subsystems.
6 Manufacturing System Continued
According to the congruence results from Section 5, it is
possible to replace individual components of a large system
designed using the operators parallel composition, hiding,
and synthesis by conflict equivalent components. Doing so
does not change, up to conflict equivalence, the behaviour
of the result. This provides a powerful mechanism for the
design of large controllers.
One possible application of the congruence results is the
possibility to abstract away information that is not neces-
sary. In the manufacturing example of section 4, it has been
recognised that the subsystems consisting of a handler and
a buffer can be controlled by local supervisors Si. Then the
uncontrollable actions puti can be hidden from the rest of
the system, resulting in
Subi = (Handleri ‖Bufferi ‖ Si) \ {puti} . (14)
The five-state processes Subi are conflict equivalent to the
three-state processes Sub′i as shown in figure 9—in fact,
bisimulations can be used to verify this [10, 11]. Using
transition systems with fewer states and transitions makes
the computation of subsequent operations cheaper, and for
large systems possible at all.
This modular construction of supervisors can be con-
tinued. In a next step, it can be noted that actions fetch1
and fetch2 are needed only for communication between ma-
chine Mach1 and subsystems Sub1 and Sub2. Therefore,
it is worth considering the new subsystem
M1 = (Mach1 ‖ Sub
′
1 ‖ Sub
′
2) \ {fetch1, fetch2} (15)
as a black-box. This process M1 has 36 states and turns
out to be nonblocking, so no synthesis step is needed. Us-
ing simplification procedures from [1, 2], this process can
be replaced by a 27-state conflict equivalent process M ′1,
which yields an equivalent behaviour of the overall system
as the larger process M1. Likewise, a simplified subsys-
tem M ′2 can be constructed from Mach2, Sub3, and Sub4
by hiding actions fetch3 and fetch4.
8
Finally, the simplified subsystem models are used to syn-
thesise a controller for the entire system,
S = sup CU(M
′
1 ‖M
′
2 ‖Toplevel) . (16)
The synthesised supervisor S has 1,356 states. In combi-
nation with the local supervisors for the four subsystems,
this yields a modular supervisor for the entire manufactur-
ing system. By the results of section 5, the modular super-
visor is controllable and nonblocking. By theorem 5.1, it
achieves the same behaviour as any least restrictive mono-
lithic supervisor that does not make use of the hidden ac-
tions puti and fetchi.
The manufacturing example in section 5 is small enough
to allow the computation of a monolithic supervisor that
satisfies all requirements, is least restrictive, and guaran-
tees controllability and nonblocking using the standard al-
gorithms from [15]. The supervisor obtained in this way
has 17,038 states, which is much bigger than the modular
supervisors.
A great achievement of a modular design is that subcom-
ponents can be replaced by processes that are conflict equiv-
alent without affecting the overall behaviour of the system,
and without having to synthesise supervisors again that use
those subcomponents.
This sort of substitutability is not possible in a cen-
tralised design. A centralised supervisor does not have a
black-box view of subcomponents but can observe all ac-
tions. While this generally leads to much more complicated
supervisors, it allows the synthesis of a least restrictive su-
pervisor that achieves the control objective in the most op-
timal way. In general, hiding actions and thus making them
invisible for controllers constructed at later stages may force
those controllers to prevent behaviour that would otherwise
be safe.
In the example, the hiding of the puti and fetchi actions
have been deliberate design decisions, based on the struc-
ture of the overall system. In this particular case, the re-
sultant supervisor turns out to yield a least restrictive be-
haviour. In general, it is up to the designer to decide under
which circumstances least restrictiveness or modularity is
more important.
7 Related Work
Similar attempts to extend supervisory control theory
have been made by several researchers, in order to intro-
duce nondeterminism or to make the large set of process-
algebraic operators available and achieve modularity. How-
ever, most researchers in supervisory control theory have
paid little attention to congruence results.
Heymann [4] proposes a framework for supervisory con-
trol based on the failure trace semantics, which has been
extended to handle nonblocking [5]. He only considers
a weak kind of congruence, called language-congruence.
Language-congruence ensures that applying an operator to
equivalent processes results in processes that have the same
language, but are not necessarily equivalent. Congruence
results with respect to the synthesis operator are not consid-
ered.
Shayman and Kumar [17] provide another framework
based on the trajectory model, which has congruence re-
sults. The framework has also been extended to handle non-
blocking [8]. This approach is closely linked to the trajec-
tory model, which requires the use of unusual concepts of
hiding and nonblocking.
Overkamp [12, 13] introduces supervisory control of
nondeterministic systems based on failures semantics [7].
In this framework, only deadlock-freedom is considered,
and a pessimistic approach toward divergence is taken. This
approach therefore differs significantly from the original su-
pervisory control theory.
Recently, researchers in supervisory control theory have
made some efforts to achieve modular synthesis. Hill and
Tilbury [6] use language projection to simplify intermedi-
ate results. Their approach is limited to deterministic au-
tomata and the restricted abstraction potential of projection.
In [3], an alternative approach using state labelling is dis-
cussed which, while providing encouraging results, is much
more complicated and also fails to have the full abstraction
potential of process equivalence.
This paper proposes a process-algebraic framework that
is closely linked to the original supervisory control theory,
using concepts of synthesis and nonblocking that are imme-
diate extensions of the traditional concepts to the case of
nondeterminism. It studies the process equivalence needed
to ensure congruence results for all operations including
synthesis.
8 Conclusions
The objective of this research is to compare process alge-
bra and supervisory control theory and combine the advan-
tages of both. Process algebra provides modularity, while
supervisory control provides synthesis algorithms. Even
though the two research areas have many concepts and goals
in common, there are subtle differences that make commu-
nication difficult.
As a first step towards a combination of these two
fields, this paper describes supervisory control theory using
process-algebraic terminology. The original supervisory
control synthesis based on formal languages is extended in
a natural way to handle nondeterministic processes. This
makes it possible to examine congruence results with re-
spect to synthesis. The main result of this paper is that it
points out the close connection between such congruence
9
results and nonblocking: in order to obtain congruence with
respect to synthesis, and thus in order to guarantee modu-
larity, it suffices to use a conflict-preserving equivalence.
The example presented in section 6 demonstrates how such
an equivalence can be applied to address the long-standing
problem of synthesising modular nonblocking supervisors.
This work can be extended in several ways. The authors
have started to work on algorithms to minimise finite-state
systems in such a way that conflict equivalence is preserved.
A present solution uses heuristics and yields good results in
many cases [1,2]. Work is in progress to extend this and im-
plement effective decision and minimisation procedures for
conflict equivalence. In the future, the authors would like to
extend the framework to consider least restrictive supervi-
sors, build a tool to design large systems of processes using
synthesis in a modular way, and apply it to more realistic
applications.
References
[1] H. Flordal. Compositional Approaches in Supervisory Con-
trol. PhD thesis, Chalmers University of Technology,
Go¨teborg, Sweden, 2006.
[2] H. Flordal and R. Malik. Modular nonblocking verification
using conflict equivalence. In Proc. 8th Int. Workshop on
Discrete Event Systems, WODES’06, pages 100–106, Ann
Arbor, MI, USA, July 2006.
[3] H. Flordal and R. Malik. Supervision equivalence. In Proc.
8th Int. Workshop on Discrete Event Systems, WODES’06,
pages 155–160, Ann Arbor, MI, USA, July 2006.
[4] M. Heymann. Concurrency and discrete event control. IEEE
Control Syst. Mag., June 1990.
[5] M. Heymann and F. Lin. Nonblocking supervisory control
of nondeterministic systems. Technical Report CIS Report
9620, Technion – Israel Inst. of Technology, Haifa, Israel,
1996.
[6] R. C. Hill and D. M. Tilbury. Modular supervisory control
of discrete-event systems with abstractions and incremen-
tal hierarchical construction. In Proc. 8th Int. Workshop on
Discrete Event Systems, WODES’06, pages 399–406, Ann
Arbor, MI, USA, July 2006.
[7] C. A. R. Hoare. Communicating Sequential Processes.
Prentice-Hall, 1985.
[8] R. Kumar and M. A. Shayman. Non-blocking supervisory
control of nondeterministic systems via prioritized synchro-
nization. IEEE Trans. Automat. Contr., 41(8):1160–1175,
Aug. 1996.
[9] F. Lin and W. M. Wonham. Decentralized control and co-
ordination of discrete-event systems with partial observa-
tion. IEEE Trans. Automat. Contr., 35(12):1330–1337, Dec.
1990.
[10] R. Malik, D. Streader, and S. Reeves. Conflicts and fair
testing. Int. J. Foundations of Computer Science, 17(4):797–
813, 2006.
[11] R. Milner. A Calculus of Communicating Systems, vol-
ume 92 of LNCS. Springer, 1980.
[12] A. Overkamp. Supervisory control for nondeterministic sys-
tems. Technical Report BS-R9411, Dept. of Operations Re-
search, Statistics, and System Theory, CWI, Amsterdam,
The Netherlands, 1994.
[13] A. Overkamp. Supervisory control using failure seman-
tics and partial specifications. IEEE Trans. Automat. Contr.,
42(4), Apr. 1997.
[14] P. J. Ramadge and W. M. Wonham. Supervisory control of
a class of discrete event processes. SIAM J. Control and
Optimization, 25(1):206–230, Jan. 1987.
[15] P. J. G. Ramadge and W. M. Wonham. The control of dis-
crete event systems. Proc. IEEE, 77(1):81–98, Jan. 1989.
[16] A. W. Roscoe. The Theory and Practice of Concurrency.
Prentice-Hall, 1997.
[17] M. A. Shayman and R. Kumar. Supervisory control of non-
deterministic systems with driven events via prioritized syn-
chronization and trajectory models. SIAM J. Control and
Optimization, 33(2):469–497, 1995.
[18] A. Valmari. Compositionality in state space verification
methods. In Proc. 18th Int. Conf. Application and Theory
of Petri Nets, volume 1091 of LNCS, pages 29–56, Osaka,
Japan, June 1996. Springer.
[19] R. J. van Glabbeek. The linear time — branching time spec-
trum I: The semantics of concrete, sequential processes. In
J. A. Bergstra, A. Ponse, and S. A. Smolka, editors, Hand-
book of Process Algebra, pages 3–99. Elsevier, 2001.
10
