Robust decentralized supervisory control of discrete-event systems

In this thesis we study robust supervisory control of discrete event systems in two different settings. First, we consider the problem of synthesizing a set of decentralized supervisors when the precise model of the plant is not known, but it is known that it is among a finite set of plant models. To tackle this problem, we form the union of all possible behaviors and construct an appropriate specification, from the given set of specifications, and solve the conventional decentralized supervisory control associated with it. We also prove that the given robust problem has a solution if and only if this conventional decentralized supervisory control problem has a solution. In another setting, we investigate the problem of synthesizing a set of communicating supervisors in the presence of delay in communication channels, and call it Unbounded Communication Delay Robust Supervisory Control problem (UCDR-SC problem). In this problem, We assume that delay is unbounded but it is finite, meaning that any message sent from a local supervisor will be received by any other local supervisors after a finite but unknown delay. To solve this problem, we redefine the supervisory decision making rules, introduce a new language property called unbounded-communication-delay-robust (UCDR), and present a set of conditions on the specification of the problem. We also show that the new class of languages that is the solution to this problem has some interesting relations with other observational languages

Fault recovery in discrete-event systems with intermittent and permanent failures

As systems grow more complex to cater to demanding operational requirements, they tend to suffer from increasing component failures. It is important to minimize the effect of these failures on the overall performance of these systems. In this thesis, fault recovery using discrete event systems theory is studied. It is assumed that the plant can be modeled as a finite state automaton, and that is prone to failures. For this study all events are assumed observable and the extension to the case of partial observation is left for future research. The problem of the synthesis of fault recovery procedures is studied. In particular, the cases are studied in which the plant may return to normal operation. This could be either because the failures are intermittent or because the plant has the capacity to repair or reset. Both of the above cases are studied in this thesis. It turns out that the problem is an instance of the problem of robust nonblocking supervisory control for countably infinite number of plants. The objective of the thesis is to obtain maximally permissive solution for the above problem. It is shown that the desired supervisor can be obtained as the maximally permissive solution of a robust control problem involving a bounded number of plants. Furthermore, an iterative procedure is provided to solve the original problem involving an infinite number of plants. The procedure is guaranteed to converge in a bounded number of steps. Several examples are provided to illustrate the proposed procedure

Limited Lookahead Policies for Robust Supervisory Control of Discrete Event Systems

In this thesis, Limited Lookahead Policies (LLP) have been developed for Robust Nonblocking Supervisory Control Problem (RNSCP) of discrete event systems. In the robust control problem considered here, the plant model is assumed to belong to a given finite set of DES models. The introduced supervisor computes the control action in online fashion and it is named Robust Limited Lookahead (RLL) supervisor. In comparison with offline supervisory control, RLL supervisor can reduce the complexity associated with the computation of control law as it looks at the behavior of system at the current state and of a limited depth in future. Since a conservative policy is adopted here, the behavior of the system under supervision of the RLL supervisor is generally more restrictive than the optimal offline supervisor. A sufficient condition is presented under which a limited lookahead window can guarantee the optimality (maximal permissiveness) of the RLL supervisor. In some problems, the required window length for maximally permissive RLL supervisor may become unbounded. To overcome this limitation RNSCP with State information (RNSCP-S) is studied and solved resulting in a state-based RLL (RLL-S) supervisor. The results of this thesis can be regarded as an extension of previous work in the literature on limited lookahead policies for (non-robust) supervisory control to the case of nonblocking robust supervisory control. The robust limited lookahead design procedures are implemented in MATLAB environment and applied to two examples involving spacecraft propulsion systems

Supervisory Control and Analysis of Partially-observed Discrete Event Systems

Nowadays, a variety of real-world systems fall into discrete event systems (DES). In practical scenarios, due to facts like limited sensor technique, sensor failure, unstable network and even the intrusion of malicious agents, it might occur that some events are unobservable, multiple events are indistinguishable in observations, and observations of some events are nondeterministic. By considering various practical scenarios, increasing attention in the DES community has been paid to partially-observed DES, which in this thesis refer broadly to those DES with partial and/or unreliable observations. In this thesis, we focus on two topics of partially-observed DES, namely, supervisory control and analysis. The first topic includes two research directions in terms of system models. One is the supervisory control of DES with both unobservable and uncontrollable events, focusing on the forbidden state problem; the other is the supervisory control of DES vulnerable to sensor-reading disguising attacks (SD-attacks), which is also interpreted as DES with nondeterministic observations, addressing both the forbidden state problem and the liveness-enforcing problem. Petri nets (PN) are used as a reference formalism in this topic. First, we study the forbidden state problem in the framework of PN with both unobservable and uncontrollable transitions, assuming that unobservable transitions are uncontrollable. For ordinary PN subject to an admissible Generalized Mutual Exclusion Constraint (GMEC), an optimal on-line control policy with polynomial complexity is proposed provided that a particular subnet, called observation subnet, satisfies certain conditions in structure. It is then discussed how to obtain an optimal on-line control policy for PN subject to an arbitrary GMEC. Next, we still consider the forbidden state problem but in PN vulnerable to SD-attacks. Assuming the control specification in terms of a GMEC, we propose three methods to derive on-line control policies. The first two lead to an optimal policy but are computationally inefficient for large-size systems, while the third method computes a policy with timely response even for large-size systems but at the expense of optimality. Finally, we investigate the liveness-enforcing problem still assuming that the system is vulnerable to SD-attacks. In this problem, the plant is modelled as a bounded PN, which allows us to off-line compute a supervisor starting from constructing the reachability graph of the PN. Then, based on repeatedly computing a more restrictive liveness-enforcing supervisor under no attack and constructing a basic supervisor, an off-line method that synthesizes a liveness-enforcing supervisor tolerant to an SD-attack is proposed. In the second topic, we care about the verification of properties related to system security. Two properties are considered, i.e., fault-predictability and event-based opacity. The former is a property in the literature, characterizing the situation that the occurrence of any fault in a system is predictable, while the latter is a newly proposed property in the thesis, which describes the fact that secret events of a system cannot be revealed to an external observer within their critical horizons. In the case of fault-predictability, DES are modeled by labeled PN. A necessary and sufficient condition for fault-predictability is derived by characterizing the structure of the Predictor Graph. Furthermore, two rules are proposed to reduce the size of a PN, which allow us to analyze the fault-predictability of the original net by verifying that of the reduced net. When studying event-based opacity, we use deterministic finite-state automata as the reference formalism. Considering different scenarios, we propose four notions, namely, K-observation event-opacity, infinite-observation event-opacity, event-opacity and combinational event-opacity. Moreover, verifiers are proposed to analyze these properties

Formal Methods and Safety for Automated Vehicles: Modeling, Abstractions, and Synthesis of Tactical Planners

One goal of developing automated road vehicles is to completely free people from driving tasks. Automated vehicles with no human driver must handle all traffic situations that human drivers are expected to handle, possibly more. Though human drivers cause a lot of traffic accidents, they still have a very low accident and failure rate that automated vehicles must match.Tactical planners are responsible for making discrete decisions for the coming seconds or minutes. As with all subsystems in an automated vehicle, these planners need to be supported with a credible and convincing argument of their correctness. The planners interact with other road users in a feedback loop, so their correctness depends on their behavior in relation to other drivers and road users over time. One way to ascertain their correctness is to test the vehicles in real traffic. But to be sufficiently certain that a tactical planner is safe, it has to be tested on 255 million miles with no accidents.Formal methods can, in contrast to testing, mathematically prove that given requirements are fulfilled. Hence, these methods are a promising alternative for making credible arguments for tactical planners’ correctness. The topic of this thesis is the use of formal methods in the automotive industry to design safe tactical planners. What is interesting is both how automotive systems can be modeled in formal frameworks, and how formal methods can be used practically within the automotive development process.The main findings of this thesis are that it is viable to formally express desired properties of tactical planners, and to use formal methods to prove their correctness. However, the difficulty to anticipate and inspect the interaction of several desired properties is found to be an obstacle. Model Checking, Reactive Synthesis, and Supervisory Control Theory have been used in the design and development process of tactical planners, and these methods have their benefits, depending on the application. To be feasible and useful, these methods need to operate on both a high and a low level of abstraction, and this thesis contributes an automatic abstraction method that bridges this divide.It is also found that artifacts from formal methods tools may be used to convincingly argue that a realization of a tactical planner is safe, and that such an argument puts formal requirements on the vehicle’s other subsystems and its surroundings