Supervisory Control and Analysis of Partially-observed Discrete Event Systems

Nowadays, a variety of real-world systems fall into discrete event systems (DES). In practical scenarios, due to facts like limited sensor technique, sensor failure, unstable network and even the intrusion of malicious agents, it might occur that some events are unobservable, multiple events are indistinguishable in observations, and observations of some events are nondeterministic. By considering various practical scenarios, increasing attention in the DES community has been paid to partially-observed DES, which in this thesis refer broadly to those DES with partial and/or unreliable observations. In this thesis, we focus on two topics of partially-observed DES, namely, supervisory control and analysis. The first topic includes two research directions in terms of system models. One is the supervisory control of DES with both unobservable and uncontrollable events, focusing on the forbidden state problem; the other is the supervisory control of DES vulnerable to sensor-reading disguising attacks (SD-attacks), which is also interpreted as DES with nondeterministic observations, addressing both the forbidden state problem and the liveness-enforcing problem. Petri nets (PN) are used as a reference formalism in this topic. First, we study the forbidden state problem in the framework of PN with both unobservable and uncontrollable transitions, assuming that unobservable transitions are uncontrollable. For ordinary PN subject to an admissible Generalized Mutual Exclusion Constraint (GMEC), an optimal on-line control policy with polynomial complexity is proposed provided that a particular subnet, called observation subnet, satisfies certain conditions in structure. It is then discussed how to obtain an optimal on-line control policy for PN subject to an arbitrary GMEC. Next, we still consider the forbidden state problem but in PN vulnerable to SD-attacks. Assuming the control specification in terms of a GMEC, we propose three methods to derive on-line control policies. The first two lead to an optimal policy but are computationally inefficient for large-size systems, while the third method computes a policy with timely response even for large-size systems but at the expense of optimality. Finally, we investigate the liveness-enforcing problem still assuming that the system is vulnerable to SD-attacks. In this problem, the plant is modelled as a bounded PN, which allows us to off-line compute a supervisor starting from constructing the reachability graph of the PN. Then, based on repeatedly computing a more restrictive liveness-enforcing supervisor under no attack and constructing a basic supervisor, an off-line method that synthesizes a liveness-enforcing supervisor tolerant to an SD-attack is proposed. In the second topic, we care about the verification of properties related to system security. Two properties are considered, i.e., fault-predictability and event-based opacity. The former is a property in the literature, characterizing the situation that the occurrence of any fault in a system is predictable, while the latter is a newly proposed property in the thesis, which describes the fact that secret events of a system cannot be revealed to an external observer within their critical horizons. In the case of fault-predictability, DES are modeled by labeled PN. A necessary and sufficient condition for fault-predictability is derived by characterizing the structure of the Predictor Graph. Furthermore, two rules are proposed to reduce the size of a PN, which allow us to analyze the fault-predictability of the original net by verifying that of the reduced net. When studying event-based opacity, we use deterministic finite-state automata as the reference formalism. Considering different scenarios, we propose four notions, namely, K-observation event-opacity, infinite-observation event-opacity, event-opacity and combinational event-opacity. Moreover, verifiers are proposed to analyze these properties

The complexity of Petri net transformations

Bibliography: pages 124-127.This study investigates the complexity of various reduction and synthesis Petri net transformations. Transformations that preserve liveness and boundedness are considered. Liveness and boundedness are possibly the two most important properties in the analysis of Petri nets. Unfortunately, although decidable, determining such properties is intractable in the general Petri net. The thesis shows that the complexity of these properties imposes limitations on the power of any reduction transformations to solve the problems of liveness and boundedness. Reduction transformations and synthesis transformations from the literature are analysed from an algorithmic point of view and their complexity established. Many problems regarding the applicability of the transformations are shown to be intractable. For reduction transformations this confirms the limitations of such transformations on the general Petri net. The thesis suggests that synthesis transformations may enjoy better success than reduction transformations, and because of problems establishing suitable goals, synthesis transformations are best suited to interactive environments. The complexity of complete reducibility, by reduction transformation, of certain classes of Petri nets, as proposed in the literature, is also investigated in this thesis. It is concluded that these transformations are tractable and that reduction transformation theory can provide insight into the analysis of liveness and boundedness problems, particularly in subclasses of Petri nets

Decidability Issues for Petri Nets

This is a survey of some decidability results for Petri nets, covering the last three decades. The presentation is structured around decidability of specific properties, various behavioural equivalences and finally the model checking problem for temporal logics

Comparison and Evaluation of Deadlock Prevention Methods for Different Size Automated Manufacturing Systems

In automated manufacturing systems (AMSs), deadlocks problems can arise due to limited shared resources. Petri nets are an effective tool to prevent deadlocks in AMSs. In this paper, a simulation based on existing deadlock prevention policies and different Petri net models are considered to explore whether a permissive liveness-enforcing Petri net supervisor can provide better time performance. The work of simulation is implemented as follows. (1) Assign the time to the controlled Petri net models, which leads to timed Petri nets. (2) Build the Petri net model using MATLAB software. (3) Run and simulate the model, and simulation results are analyzed to determine which existing policies are suitable for different systems. Siphons and iterative methods are used for deadlocks prevention. Finally, the computational results show that the selected deadlock policies may not imply high resource utilization and plant productivity, which have been shown theoretically in previous publications. However, for all selected AMSs, the iterative methods always lead to structurally and computationally complex liveness-enforcing net supervisors compared to the siphons methods. Moreover, they can provide better behavioral permissiveness than siphons methods for small systems. For large systems, a strict minimal siphon method leads to better behavioral permissiveness than the other methods

Methods and Formal Models for Healthcare Systems Management

A healthcare system is an organization of people, institutions, and resources that deliver healthcare services to meet the health needs of target populations. The size of the systems, the huge number of agents involved and their different expectations make the management of healthcare systems a tough task which could be alleviated through the use of technology. In this thesis, new methods and formal models for healthcare system management are presented. Particularly, the thesis is divided in two main parts: the first one has to do with the modeling and analysis in hospitals by the use of clinical pathways while the second one deals with the planning and scheduling of patients in the operation rooms.Regarding the modeling and analysis of healthcare systems, depending on different visions and expectations, the system can be treated from different perspectives called facets. In chapter 2, the formal definition and characterization of two facets are given: (1) facet of resource management and (2) handshake between clinical pathways facet. They are obtained by applying to Stochastic Well-formed Nets (colored Petri Nets) modeling the healthcare system a set of relaxations, abstraction and modifications. In the first facet the subclass of S4PR is obtained which is a characteristic model of the resource allocation systems while in the second facet Deterministically Synchronized Sequential Process (DSSP) are considered. Both nets (S4PR and DSSP) are formal subclasses of Petri Nets where net level techniques can be applied.In chapters 3 and 4, we will focus on the liveness of the DSSP systems resulting from the facet of communication between clinical pathways. These kinds of nets are composed by agents (modeling clinical pathways) cooperating in a distributed way by the asynchronous messaging passing through the buffers (modeling the communication channels). In particular two approaches have been proposed.The idea behind the first approach is to advance the buffer consumption to the first conflict transition in the agents. Considering healthcare systems modeled by a DSSP, this means that before a patient starts a clinical pathway, all required information must be available. Unfortunately, this pre-assignment method only works in some particular DSSP structures which are characterized. A more general approach (than buffer pre-assignment) for liveness enforcing in non-live DSSP is given in Chapter. 4. The approach is formalized on two levels: execution and control. The execution level uses the original DSSP structure while for the control level we compute a new net system called the control PN. This net system is obtained from the original DSSP and has a predefined type of structure. The control PN will evolve synchronously with the non-live DSSP ensuring that the deadlock states will not be reached. The states (marking) of the control PN will enable or disable some transitions in the original DSSP, while some transitions in the control PN should fire synchronously with some transitions of the original DSSP.The second part of the thesis deals with surgery scheduling of patients in a hospital department. The Operating Rooms (ORs) are one of the most expensive material resources in hospitals, being the bottleneck of surgical services. Moreover, the aging population together with the improvement in surgical techniques are producing an increase in the demand for surgeries. So, the optimal use of the ORs time is crucial inhealthcare service management. We focus on the planning and scheduling of patients in Spanish hospital departments considering its organizational structure particularities as well as the concerns and specifications of their doctors.In chapter 5, the scheduling of elective patients under ORs block booking is considered. The first criterion is to optimize the use of the OR, the second criterion is to prevent that the total available time in a block will be exceeded and the third criterion is to respect the preference order of the patient in the waiting list. Three different mathematical programming models for the scheduling of elective patients are proposed. These are combinatorial problems with high computational complexity, so three different heuristic solution methods are proposed and compared. The results show that a Mixed Integer Linear Programming (MILP) problem solved by Receding Horizon Strategy (RHS)obtains better scheduling in lowest time.Doctors using the MILP problem must fix an appropriate occupation rate for optimizing the use of the ORs but without exceeding the available time. This has two main problems: i) inexperienced doctors could find difficult to fix an appropriate occupation rate, and ii) the uncertain in the surgery durations (large standard deviation) could results in scheduling with an over/under utilization. In order to overcome these problems, a New Mixed-Integer Quadratic Constrained Programming (N-MIQCP) model is proposed. Considering some probabilistic concepts, quadratic constraints are included in N-MIQCP model to prevent the scheduling of blocks with a high risk of exceeding the available time. Two heuristic methods for solving the N-MIQCP problem are proposed and compared with other chance-constrained approaches in bibliography. The results conclude that the best schedulings are achieved using our Specific Heuristic Algorithm (SHA) due to similar occupation rates than using other approaches are obtained but our SHA respects much more the order of the patients in the waiting list.In chapter 6, a three steps approach is proposed for the combined scheduling of elective and urgent patients. In the first step, the elective patients are scheduled for a target Elective Surgery Time (EST) in the ORs, trying to respect the order of the patients on the waiting list. In the second one, the urgent patients are scheduled in the remaining time ensuring that an urgent patient does not wait more than 48 hours. Finally, in the third step, the surgeries assigned to each OR (elective and urgent) are sequenced in such a way that the maximum time that an emergency patient should wait is minimized. Considering realistic data, different policies of time reserved in the ORs for elective and urgent patients are evaluated. The results show that all ORs must be used to perform elective and urgent surgeries instead of reserving some ORs exclusively for one type of patient.Finally, in chapter 7 a software solution for surgery service management is given. A Decision Support System for elective surgery scheduling and a software tool called CIPLAN are proposed. The DSS use as core the SHA for the scheduling of elective patients, but it has other features related to the management of a surgery department. A software tool called CIPLAN which is based on the DSS is explained. The software tool has a friendly interface which has been developed in collaboration with doctors in the “Lozano Blesa” Hospital in Zaragoza. A real case study comparing the scheduling using the manual method with the scheduling obtained by using CIPLAN is discussed. The results show that 128.000 euros per year could be saved using CIPLAN in the mentioned hospital. Moreover, the use of the tool allows doctors to reduce the time spent in scheduling to use it medical tasks.<br /

Strict Minimal Siphon-Based Colored Petri Net Supervisor Synthesis for Automated Manufacturing Systems With Unreliable Resources

Various deadlock control policies for automated manufacturing systems with reliable and shared resources have been developed, based on Petri nets. In practical applications, a resource may be unreliable. Thus, the deadlock control policies proposed in previous studies are not applicable to such applications. This paper proposes a two-step robust deadlock control strategy for systems with unreliable and shared resources. In the first step, a live (deadlock-free) controlled system that does not consider the failure of resources is derived by using strict minimal siphon control. The second step deals with deadlock control issues caused by the failures of the resources. Considering all resource failures, a common recovery subnet based on colored Petri nets is proposed for all resource failures in the Petri net model. The recovery subnet is added to the derived system at the first step to make the system reliable. The proposed method has been tested using an automated manufacturing system deployed at King Saud University.publishedVersio

Algorithmic Verification of Asynchronous Programs

Asynchronous programming is a ubiquitous systems programming idiom to manage concurrent interactions with the environment. In this style, instead of waiting for time-consuming operations to complete, the programmer makes a non-blocking call to the operation and posts a callback task to a task buffer that is executed later when the time-consuming operation completes. A co-operative scheduler mediates the interaction by picking and executing callback tasks from the task buffer to completion (and these callbacks can post further callbacks to be executed later). Writing correct asynchronous programs is hard because the use of callbacks, while efficient, obscures program control flow. We provide a formal model underlying asynchronous programs and study verification problems for this model. We show that the safety verification problem for finite-data asynchronous programs is expspace-complete. We show that liveness verification for finite-data asynchronous programs is decidable and polynomial-time equivalent to Petri Net reachability. Decidability is not obvious, since even if the data is finite-state, asynchronous programs constitute infinite-state transition systems: both the program stack and the task buffer of pending asynchronous calls can be potentially unbounded. Our main technical construction is a polynomial-time semantics-preserving reduction from asynchronous programs to Petri Nets and conversely. The reduction allows the use of algorithmic techniques on Petri Nets to the verification of asynchronous programs. We also study several extensions to the basic models of asynchronous programs that are inspired by additional capabilities provided by implementations of asynchronous libraries, and classify the decidability and undecidability of verification questions on these extensions.Comment: 46 pages, 9 figure

Vérification efficace de systèmes à compteurs à l'aide de relaxations

Abstract : Counter systems are popular models used to reason about systems in various fields such as the analysis of concurrent or distributed programs and the discovery and verification of business processes. We study well-established problems on various classes of counter systems. This thesis focusses on three particular systems, namely Petri nets, which are a type of model for discrete systems with concurrent and sequential events, workflow nets, which form a subclass of Petri nets that is suited for modelling and reasoning about business processes, and continuous one-counter automata, a novel model that combines continuous semantics with one-counter automata. For Petri nets, we focus on reachability and coverability properties. We utilize directed search algorithms, using relaxations of Petri nets as heuristics, to obtain novel semi-decision algorithms for reachability and coverability, and positively evaluate a prototype implementation. For workflow nets, we focus on the problem of soundness, a well-established correctness notion for such nets. We precisely characterize the previously widely-open complexity of three variants of soundness. Based on our insights, we develop techniques to verify soundness in practice, based on reachability relaxation of Petri nets. Lastly, we introduce the novel model of continuous one-counter automata. This model is a natural variant of one-counter automata, which allows reasoning in a hybrid manner combining continuous and discrete elements. We characterize the exact complexity of the reachability problem in several variants of the model.Les systèmes à compteurs sont des modèles utilisés afin de raisonner sur les systèmes de divers domaines tels l’analyse de programmes concurrents ou distribués, et la découverte et la vérification de systèmes d’affaires. Nous étudions des problèmes bien établis de différentes classes de systèmes à compteurs. Cette thèse se penche sur trois systèmes particuliers : les réseaux de Petri, qui sont un type de modèle pour les systèmes discrets à événements concurrents et séquentiels ; les « réseaux de processus », qui forment une sous-classe des réseaux de Petri adaptée à la modélisation et au raisonnement des processus d’affaires ; les automates continus à un compteur, un nouveau modèle qui combine une sémantique continue à celles des automates à un compteur. Pour les réseaux de Petri, nous nous concentrons sur les propriétés d’accessibilité et de couverture. Nous utilisons des algorithmes de parcours de graphes, avec des relaxations de réseaux de Petri comme heuristiques, afin d’obtenir de nouveaux algorithmes de semi-décision pour l’accessibilité et la couverture, et nous évaluons positivement un prototype. Pour les «réseaux de processus», nous nous concentrons sur le problème de validité, une notion de correction bien établie pour ces réseaux. Nous caractérisions précisément la complexité calculatoire jusqu’ici largement ouverte de trois variantes du problème de validité. En nous basant sur nos résultats, nous développons des techniques pour vérifier la validité en pratique, à l’aide de relaxations d’accessibilité dans les réseaux de Petri. Enfin, nous introduisons le nouveau modèle d’automates continus à un compteur. Ce modèle est une variante naturelle des automates à un compteur, qui permet de raisonner de manière hybride en combinant des éléments continus et discrets. Nous caractérisons la complexité exacte du problème d’accessibilité dans plusieurs variantes du modèle

Contributions to the deadlock problem in multithreaded software applications observed as Resource Allocation Systems

Desde el punto de vista de la competencia por recursos compartidos sucesivamente reutilizables, se dice que un sistema concurrente compuesto por procesos secuenciales está en situación de bloqueo si existe en él un conjunto de procesos que están indefinidamente esperando la liberación de ciertos recursos retenidos por miembros del mismo conjunto de procesos. En sistemas razonablemente complejos o distribuidos, establecer una política de asignación de recursos que sea libre de bloqueos puede ser un problema muy difícil de resolver de forma eficiente. En este sentido, los modelos formales, y particularmente las redes de Petri, se han ido afianzando como herramientas fructíferas que permiten abstraer el problema de asignación de recursos en este tipo de sistemas, con el fin de abordarlo analíticamente y proveer métodos eficientes para la correcta construcción o corrección de estos sistemas. En particular, la teoría estructural de redes de Petri se postula como un potente aliado para lidiar con el problema de la explosión de estados inherente a aquéllos. En este fértil contexto han florecido una serie de trabajos que defienden una propuesta metodológica de diseño orientada al estudio estructural y la correspondiente corrección física del problema de asignación de recursos en familias de sistemas muy significativas en determinados contextos de aplicación, como el de los Sistemas de Fabricación Flexible. Las clases de modelos de redes de Petri resultantes asumen ciertas restricciones, con significado físico en el contexto de aplicación para el que están destinadas, que alivian en buena medida la complejidad del problema. En la presente tesis, se intenta acercar ese tipo de aproximación metodológica al diseño de aplicaciones software multihilo libres de bloqueos. A tal efecto, se pone de manifiesto cómo aquellas restricciones procedentes del mundo de los Sistemas de Fabricación Flexible se muestran demasiado severas para aprehender la versatilidad inherente a los sistemas software en lo que respecta a la interacción de los procesos con los recursos compartidos. En particular, se han de resaltar dos necesidades de modelado fundamentales que obstaculizan la mera adopción de antiguas aproximaciones surgidas bajo el prisma de otros dominios: (1) la necesidad de soportar el anidamiento de bucles no desplegables en el interior de los procesos, y (2) la posible compartición de recursos no disponibles en el arranque del sistema pero que son creados o declarados por un proceso en ejecución. A resultas, se identifica una serie de requerimientos básicos para la definición de un tipo de modelos orientado al estudio de sistemas software multihilo y se presenta una clase de redes de Petri, llamada PC2R, que cumple dicha lista de requerimientos, manteniéndose a su vez respetuosa con la filosofía de diseño de anteriores subclases enfocadas a otros contextos de aplicación. Junto con la revisión e integración de anteriores resultados en el nuevo marco conceptual, se aborda el estudio de propiedades inherentes a los sistemas resultantes y su relación profunda con otros tipos de modelos, la confección de resultados y algoritmos eficientes para el análisis estructural de vivacidad en la nueva clase, así como la revisión y propuesta de métodos de resolución de los problemas de bloqueo adaptadas a las particularidades físicas del dominio de aplicación. Asimismo, se estudia la complejidad computacional de ciertas vertientes relacionadas con el problema de asignación de recursos en el nuevo contexto, así como la traslación de los resultados anteriormente mencionados sobre el dominio de la ingeniería de software multihilo, donde la nueva clase de redes permite afrontar problemas inabordables considerando el marco teórico y las herramientas suministradas para subclases anteriormente explotadas