A generalized approach to supervisor synthesis
ABSTRACT We present a generalization of the supervisory control problem proposed by Ramadge and Wonham. The objective of that problem is to synthesize a controller, which constrains a system's behavior according to a given specification, ensuring controllability and coaccessibility. By introducing a new representation of the solution using systems of μcalculus equations we are able to handle these two conditions separately and thus to exchange the coaccessibility requirement by any μcalculus expression. Wellknown results on the complexity of μcalculus model checking allow us to easily assess the computational complexity of any generalization. As an example we solve the synthesis problem under consideration of fairness constraints.

Conference Paper: Using Model Checking to Solve Supervisor Synthesis Problems
[Show abstract] [Hide abstract]
ABSTRACT: Verification procedures, which check whether a given system satisfies a given specification, are nowadays mature for industrial usage. The more general supervisor synthesis problem asks how a system has to be restricted or which actions have to be selected such that the system satisfies a given specification. Supervisor synthesis problems are often formulated in frameworks like game structures that are more general than the Kripke structures that are traditionally used in verification. For this reason, current verification tools can not be used for supervisory control problems. In this paper, however, we present a reduction of alternating time μcalculus model checking problems (on game structures) to model checking problems of the μcalculus on Kripke structures. As a result, arbitrary model checkers can be used to solve supervisor synthesis problems. As a demonstration of the applicability of our approach, we show how the classical supervisory control problems of Ramadge and Wonham can be solved within our framework.Decision and Control, 2005 and 2005 European Control Conference. CDCECC '05. 44th IEEE Conference on; 01/2006  SourceAvailable from: Kiam Tian Seow[Show abstract] [Hide abstract]
ABSTRACT: This paper presents and analyzes a correct and complete translation algorithm that converts a class of propositional lineartime temporallogic (PTL) formulae to deterministic finite (trace) automata. The translation algorithm is proposed as a specification interface for finitary control design of discreteevent systems (DESs). While there has been a lot of computer science research that connects PTL formulae to omegaautomata, there is relatively little prior work that translates statebased PTL formulae in the context of a finitestate DES model, to eventbased finite automatathe formalism on which wellestablished control synthesis methods exist. The proposed translation allows control requirements to be more easily described and understood in temporal logic, widely recognized as a useful specification language for its intuitively appealing operators that provide the naturallanguage expressiveness and readability needed to express and explain these requirements. Adding such a translation interface could therefore effectively combine specifiability and readability in temporal logic with prescriptiveness and computability in finite automata. The former temporallogic features support specification while the latter automata features support the prescription of DES dynamics and algorithmic computations. A practical implementation of the interface has been developed, providing an enabling technology for writing readable control specifications in PTL that it translates for discreteevent control synthesis in deterministic finite automata. Two application examples illustrate the use of the proposed temporallogic interface. Practical implications of the complexity of the translation algorithm are discussed.IEEE Transactions on Automation Science and Engineering 08/2007; · 1.67 Impact Factor  SourceAvailable from: Klaus Schneider
Conference Paper: Synthesizing deterministic controllers in supervisory control.
ICINCO 2005, Proceedings of the Second International Conference on Informatics in Control, Automation and Robotics, Barcelona, Spain, September 1417, 2005, 4 Volumes / CD; 01/2005
Page 1
A Generalised Approach to Supervisor Synthesis
Roberto Ziller
University of Karlsruhe
Institute for Computer Design and Fault Tolerance
P.O. Box 6980, 76128 Karlsruhe, Germany
email: ziller@informatik.unikarlsruhe.de
Klaus Schneider
University of Kaiserslautern
Department of Computer Science
P.O. Box 3049, 67653 Kaiserslautern, Germany
email: Klaus.Schneider@informatik.unikl.de
Abstract
We present a generalisationof the supervisory control prob
lem proposed by Ramadge and Wonham. The objective of
that problem is to synthesise a controller which constrains
a system’s behaviour according to a given specification,
ensuring controllability and coaccessibility. By introduc
ing a new representation of the solution using systems of
?calculus equations we are able to handle these two con
ditions separately and thus to exchange the coaccessibility
requirement by any
sults on the complexity of
us to easily assess the computationalcomplexity of any gen
eralisation. As an example we solve the synthesis problem
under consideration of fairness constraints.
?calculus expression. Wellknown re
?calculus model checking allow
1Introduction
Manyembeddedsystemsusedinsafetycriticalapplications
consist of reactive realtime controllers, whose design re
quires automatic tools to improve efficiency and avoid er
rors made by humans. Modern verification methods [4] al
low designers to checka givenspecification for a controller,
butdonotsupporttheactualspecificationprocessexceptfor
providing a simulation trace when an error has been found.
Ideally,the specification itself shouldbe generatedby a tool
that takes the informal requirements of the designer and ei
ther outputs a correct specification or rejects them if they
cannot be implemented.
A solution that takes the latter approach is offered by the
RamadgeWonham framework [11, 18]. The main idea is
therebyto model the physicallypossible behaviourof a sys
tem and the specification for its desired behaviour by finite
state machines. The method can be used to check whether a
controller that ensures the specification can be constructed
and, if this is not the case, to compute the largest subset of
the specification for which a controller exists. This can then
be used in place of the original specification, as long as the
resulting behaviour is still acceptable.
The above is an informal description of the supervisory
control problem formulated and solved by in [11, 19]. Its
solution is required to satisfy two conditions. The first one
is controllability, meaning that the behaviour of the system
undersupervisionmustremainwithinthespecification. The
second one is coaccessibility, meaning that the system must
always be able to complete at least one task. These require
ments are examples of safety and liveness properties. How
ever, the description of reactive systems often includes fair
ness propertiesand thereforerequires extendedcapabilities.
In this paper,we generalisethe supervisorycontrolproblem
so that such properties can also be considered.
Related work in this direction uses B¨ uchi and Rabin au
tomata to model infinite behaviour and to derive results on
controllability analogous to those of the classical frame
work [15, 16]. However, finite behaviour is not considered.
Besides, translatingan informaldescriptionof a system into
?automata is not a trivial task, and the absence of direc
tions to support that translation leaves a gap between theo
retical possibilities and application.
An approach that can handle both finite and infinite be
haviour is found in [1]. The system and its specification
are described using
translated into alternating tree automata, and the supervisor
synthesis problem is reduced to the
problem [17], which is in turn cast as a search for winning
strategies in parity games [7].
In contrast, ourapproachreducesthe supervisorycontrol
problemtothe
depart from specifications written in temporal logics, which
have equivalent formulations in the modal
fined over systems of fixpoint equations. We illustrate our
point of view with several specifications taken from veri
fication literature [13], which we extend to encompass the
RWcontrollability condition. The result is a generalised
framework, of which the basic RWModel and the exten
sion in [16] are special cases. Moreover, the
equations are wellsuited for implementation with sym
bolic methods, which efficiently reduce the state explosion
?calculus formulas. These are are
?calculus satisfiability
?calculusmodelcheckingproblem[17]. We
?calculus de
?calculus
Proceedings of the First ACM and IEEE International Conference on Formal Methods and
Models for CoDesign (MEMOCODE’03) ISBN 0769519237/03 $17.00 © 2003 IEEE
Authorized licensed use limited to: Technische Universitat Kaiserslautern. Downloaded on March 16, 2009 at 07:48 from IEEE Xplore. Restrictions apply.
Page 2
problem [2]. The chosen approach also enables us to use
wellknown results on the complexity of
checking [5] to derive the time complexity of any gener
alisation. Finally, the
stoodbytoolsoriginallyintendedforverification,whichare
hereby extended to also handle controller synthesis.
The paper is organisedas follows: Section 2 presents the
RamadgeWonham framework and the supervisory control
problem (SCP). Section 3 brings in
to present the known solution to SCP in a new formula
tion. Section 4 presents our generalised supervisory control
problem along with several specification examples and its
solution. The conclusion summarises the work.
?calculus model
?calculus description can be under
?calculus expressions
2The RamadgeWonham Framework
The frameworkparallels continuoussystems controltheory,
in which a system and its controller form a closed loop.
There,thefeedbacksignalfromthecontrollerinfluencesthe
behaviourofthesystem, enforcinga givenspecificationthat
would not be met by the openloop behaviour. This foun
dation on control theory explains some of the terminology
adopted within the RWframework, like the terms discrete
event system (to designate an eventdriven, discretespace
system, in opposition to timedriven, continuous systems)
and plant (to designate the system to be controlled). It also
leads naturally to the basic assumption that the description
of the plant encompasses the whole physically possible be
haviour of the system to be controlled (including unwanted
situations), and that a specification is a subset of this be
haviour that corresponds to the actions wanted to remain
executable under control.
The plant is viewed as a system that generates events. It
is also assumed that it has a control input, through which
some of the events that could happen in each state can be
prevented from occurring. The controller, referred to as su
pervisor, is an external agent that has the ability to observe
the events generated by the plant and to influence its be
haviour through the control input, as illustrated in Figure 1.
Plant
Supervisor
Events
Control action
Figure 1. The basic RWmodel
Control problems are formulated using language theory
andfiniteautomata. Afiniteautomatonis a5tuple
????,
??Æ,
?
?,
?
?, where
? is a set of events,
? is a set of states,
Æ
initial state. The states in the set
mark the completion of tasks by the system and are there
fore called marker states. Those readers familiar with the
?
?
???
? is a transition relation, and
?
?
?
? is the
?
?
? are chosen to
RWliterature will recall that
partial deterministic function. We use a relation instead be
cause this simplifies notation later on. We write
to signify that
functionality, we require the relation to be deterministic,
that is,
In the following, it is convenient to define the set of ac
tive events
is a transition leaving state
Æ is traditionally defined as a
Æ
??????
?
?
??????
?
??
Æ. In order to ensure the same
Æ
??????
?
??
Æ
??????
??
??
?
?
?
?
??.
???
?
??
? as the subset of events for which there
?:
Definition 1 (Active Events) Given an automaton
??
???
active events of
??Æ??
?
??
? and a particular state
?
?
?, the set of
? is:
???
?
??
?????
?????
?
?
??Æ
??????
?
???
When a plant and its supervisor are represented by fi
nite automata
of the latter amounts to running these automata in parallel,
according to the following definition:
?
?and
?
?, respectively, the control action
Definition 2 (Automata product) Giventwoautomata
?
?
???,
?
?,
Æ
?,
?
?
?,
?
?
? and
?
?
???,
?
?,
Æ
?,
?
?
?,
?
?
?, the product
?
?
??
?is the automaton
??,
?
?
?
?
?,
Æ
???,
??
?
?
??
?
?
?,
?
?
?
?
?
?, where
Æ
???
?????
????
??
?
??
?
???
Æ
?
??? ???
?
??
Æ
?
??????
?
??
Note that if a given transition is present in only one of the
states
? or
?, it will not be present in state
????
?, i.e.,
???
?
?
??
?
?????
???
???
?
?
????
???
?
?
??
??
The control action of the supervisor enables only the events
in
event
???
?
?
??
?. Hence, in order to forbid the occurrence of
? when
?
?
??
?is in state
????
?, it suffices to omit
? in state
However, reactive systems may contain events that can
not be prevented from occurring, e.g. system failures and
sensor or alarm signals. Therefore, the event set
tioned into the sets of controllable events
pervisor can disable) and uncontrollable events
occurrence cannot be avoided). This places a condition on
the existence supervisors: a specification given by an au
tomaton
for everystate
?.
? is parti
?
?(which the su
?
?(whose
?
? can be implemented by a supervisor only if,
????
? of
?
?
??
?, every eventin
???
?
?
????
???
?
Specifications that do not fulfill this requirement are
termeduncontrollable,becausetheyallowtheplanttoreach
a state in which uncontrollable events can occur and, at the
same time, try to forbid the occurrence of one or more of
theseeventsinthatstate. Formally,thismeansthattheprod
uct
?
??
?
?????
?? is controllable.
?
?
??
?has one or more bad states, which are states
????
? that fail to satisfy the following condition:
???
?
?
??
?
?????
???
???
?
?
?????
?
?
(1)
Proceedings of the First ACM and IEEE International Conference on Formal Methods and
Models for CoDesign (MEMOCODE’03) ISBN 0769519237/03 $17.00 © 2003 IEEE
Authorized licensed use limited to: Technische Universitat Kaiserslautern. Downloaded on March 16, 2009 at 07:48 from IEEE Xplore. Restrictions apply.
Page 3
Analysingthecontrollabilityofaspecificationfurtherre
quiressomelanguagetheory: Everyautomaton
sociated marked language, denoted
of all event sequences that end up in a marker state, hence
representingthe tasks the system is able to complete. When
?has anas
?
?
???, which consists
Æ is extended in the usual way to process strings from
?
?,
?
?
????
?
?
?
?
?
?Æ
?
?
?
? ???
?
?
?
?
?
?
?
Given a specification automaton
?
?, the language
??
?
?
??
The marked language of plant
supervisor
?
? is controllable if and only if
?
?has no bad states.
?
? under control of
?
? is
?
?
??
?
?
?
?
?
??
?
?, and is denoted
?
anyplant
there exists the supremal controllable sublanguage of
denoted
thatthespecificationlanguage
sible to compute
such that
place the original specification, as long as the resulting be
haviour under control is still acceptable.
Another aspect to consider is whether the supervisor al
ways allows the system to make progress towards the com
pletion of some task. This is not the case when the system
can(1)reachastate inwhichnotaskis finishedandnomore
events can occur (deadlock) or (2) be caught forever within
a subset of states, none of which corresponds to a finished
task (livelock). A supervisor that avoids these situations is
said to be nonblocking. A nonblockingautomatonis coac
cessible, which means that there is at least one path leading
from every state to a marker state. Controllability and coac
cessibility come together in the following problem:
?
??
?
??
?
?. Ramadge and Wonham have shown that, for
?
?andanyspecificationlanguage
?
?
?
?
??
?
?,
?,
???????. This result is of practical interest: Given
? is uncontrollable,it ispos
??????? and to constructa supervisor
?
?
?
?
??
?
??
?
??
????
???. This language can re
Definition 3 (Supervisory Control Problem (SCP) [11])
Given a plant
representing the desired behaviour of
pervision,andaminimally
?
?, a specification language
?
?
?
?
??
?
?
?
? under su
behaviouracceptable
?
that
???
?
?, find a nonblocking supervisor
?
? such
?
???
?
?
?
??
?
??
?
?
?
?.
SCP is solvable if and only if
????
???
?
?
???, and
????
automaton
can be computed from the automata
constructedso that
tomaton is a supervisor, this computation is often referred
to as supervisor synthesis.
The above is a summary of the most important concepts
originally presented in [11, 19, 12]; for a comprehensive
description the reader is also referred to [18, 3].
??? is its least restrictivesolution[11]. Acoaccessible
?
?whosemarkedlanguageisequalto
????
???
?
?and
?
?, with
?
?
?
?
??
?
???. Because the resultingau
3Classical Supervisor Synthesis
In this section we associate Kripke structures with the au
tomata used in the RWframework and define a
?calculus
over them. Kripke structures are used in Subsection 3.3 to
present a new description of the solution for SCP and are
also needed to present our main result in Section 4. Be
cause the
with a brief review of basic concepts.
?calculus is not usual in this context, we start
3.1Fixpoint Calculus
Notations for extremal fixpoints of monotone operators
have been introduced by different authors [9]. In particular,
Tarski’s work [14] has been frequently used in verification
and synthesis literature [6, 15]. The following is an adapta
tion of the results found in these sources to suit our needs.
An operator
be monotone if, for any subsets
???
?
?
?
?on the powerset
?
?is said to
?
?,
?
?
?
?,
?
?
?
?
?
?
???
?
?
?
???
?
??
(2)
Such an operator has least and greatest fixpoints, which are
the solutions of:
?
?
?????
and
?
?
??????
where the symbols
least and greatest values of
Thesolutionsaredenoted
to satisfy:
?
? and
?
? indicate that we seek for the
? that satisfy these equations.
??????? and
???????, andknown
????????
???
?
?????????
and
????????
???
?
??????????
Given that
can be found by an iteration starting with
puting
The greatest fixpoint can be obtained by the same iteration
starting with
will be applied to the state set of a finite Kripke structure.
There is also another version of the modal
defined on equation systems [5, 13] of the form:
? is finite and
? is monotone, the least fixpoint
?
?
?
? and com
?
???
????
?
? until, for some
?,
?
?
??
?
??holds.
?
?
??. In this paper, the fixpoint operators
?calculus,
?
?
?
?
?
?
?
...
?
?
??
?
?
?
?
?
??
?
where
may consist of the propositional operators
themodaloperators
path quantifiers that specify that the property that follows
them in the expression must hold on at least one path ( ?) or
onall paths(?)fromsomestate ina Kripkestructure.
?
?
?????
? for
?
??????????. The formulas
?
?
?,
?, and
?, and
??,
??,
??, and
?? . Here,
? and
? are
? and
? are temporal operators that limit the length of the path on
which
the immediate ancestor states, respectively (see [4, 13] for
background on modal operators and temporal logics). As
usual, we require that the occurrences of all
must occur under an even number of negation symbols.
? has to be fulfilled to the immediate successor or
?
?in every
?
?
Proceedings of the First ACM and IEEE International Conference on Formal Methods and
Models for CoDesign (MEMOCODE’03) ISBN 0769519237/03 $17.00 © 2003 IEEE
Authorized licensed use limited to: Technische Universitat Kaiserslautern. Downloaded on March 16, 2009 at 07:48 from IEEE Xplore. Restrictions apply.
Page 4
Any such system of equations can be translated into a
single fixpoint expression that uses the operators
and vice versa [5, 13]. We shall use the equation system to
present our results throughout the paper.
? and
?,
3.2 Automata and Kripke Structures
Definition 4 (Kripke Structure of an Automaton) Given
an automaton
uct of a plant and a specification, we define its associated
Kripke structure
variables
???????Æ??
?
??
? representing the prod
?
?
???
?
?
?
??
?? over the Boolean
?
?
????
?
?
?
?
?????
?
??
?
??
?
? as follows:
????
?
????
??
???????
?
?
???
??
?
?
???
??????
???
??
?
?
???????
? ?
?
?Æ
??????
?
?
??????
???
??
?
?
???????
???Æ
??????
?
?
??????
???????
?
??
?
??
?
??
?
?
if
otherwise
? is bad
??
??????
???????
?
??
?
??
?
?
if
if
?
?
?
??
?
??
?.
Here,
???
?
??
?(see Section 2),
? is a set of states,
? is the set of initial states, and
????? relates states
??
from
is an event (controllable or not) leading from
?
?? and
??
?
?
?? exactlywhenan uncontrollableeventleads
? to
?
?and states
???
?? and
??
?
?
?? exactly when there
? to
?
?in
?. This creates a structure with two disconnected substruc
tures, each of which has a copy of the original states in
Finally,
enabling us to address sets of states through Boolean ex
pressions. Note that the Kripke structure can be constructed
from the automaton in time
As an example, suppose the automaton in Figure 2 rep
resents the product of some plant and specification. The
composite numbers of the states have been replaced by sin
gletons for simplicity. States 3 and 5 are assumed to be
bad, and the event set is partitioned into
?.
? labelseachstateof
? witha subsetof
?
?, thereby
?
??
??????.
?
?
?????? and
?
?
?????
?. The two halves of the associated Kripke
0
1
2
3
4
5
?
?
?
?
?
?
?
?
?
?
Figure 2. Example automaton
structure are shown in Figure 3. Each state
with the variable
only where the automaton has uncontrollable transitions,
and its states have in common the label
????? is labelled
?
?. The left substructure has transitions
?
?. Additionally,
0,0
?
?
??
?
1,0
?
?
?
?
?
2,0
?
?
??
?
3,0
?
?
?
?
?
??
?
4,0
?
?
?
?
?
5,0
?
?
?
?
?
??
?
0,1
?
?
1,1
?
?
2,1
?
?
3,1
?
?
4,1
?
?
?
?
?
5,1
?
?
Figure 3. The associated Kripke structure
the states that correspond to bad states in the automaton
have the label
sitions from the automaton, with the label
the state that corresponds to a marker state. Note that
distinguishes the states from the two substructures, and that
theleftside doesnotknowanythingaboutthemarkerstates,
while the right side does not know about the bad states.
The following definitions give syntax and semantics of
?
?. The right substructure reflects all tran
?
?identifying
?
?
?calculus formulas:
Definition 5 (Syntax of
ables
as the least set
?Calculus) Given a set of vari
?, the set of
?calculus formulas over
? is defined
?
?that satisfies the following rules:
??????
????
?
???,
?
?
?,
?
?
?
??
?, provided that
???
??
?
?
??
??
??
?
??
?
?
?
?
?????
?, provided that
?
??
?
?
????
??
?, provided that
?
??
?.
Definition 5 differs from those usually found in the liter
atureinthat it includesthe formula
use any monotone state transformer function
in the computations. In particular, we will define a function
?
?
???. This allowsus to
?
??
?
??
?
? to map states of one of the abovementionedsubstructures
to the other.
Definition 6 (Semantics of
structure
sociate with each formula
by the following rules:
?Calculus) Given a Kripke
????
?
?
?
??
?? over the variables
?, we as
???
?a set of states
???
?
??
????
?
????
???
?
?????? for all variables
?
??
?????
?
???????
?
???
?
?
?
?
?????
?
??
?
?
?
???
?
?
?
?
?????
?
??
?
?
?
???
?
????
?
??
?
????
?
? for monotone
?
??
?
??
?
????
??
?
????
?????
?
??
??????
?
??
?
?
????
?
?
????
??
?
????
?
?????
??
??????
?
??
?
????
?
?
???????
?
??
?
??????
??
?
?
?
? ??.
The last expression gives the least set of states
that
where exactly the states
??? such
?????
?
?
?holds, where
?
?
?is the Kripke structure
? are labelled with the variable
?.
Proceedings of the First ACM and IEEE International Conference on Formal Methods and
Models for CoDesign (MEMOCODE’03) ISBN 0769519237/03 $17.00 © 2003 IEEE
Authorized licensed use limited to: Technische Universitat Kaiserslautern. Downloaded on March 16, 2009 at 07:48 from IEEE Xplore. Restrictions apply.
Page 5
If
fixpoint [14]. We can also define some further macro oper
ators like
? is a monotonic function of
?, then
???? is its least
??
?
?????
??,
??
?
?????
??,
???
??
????
?
??
?,
???
??
????
?
??
?,
???
??
????
?
??
?,
???
latter can be shown to be the greatest fixpoint of
In order to apply the above definitions to Kripke struc
tures stemming from automata according to Definition 4,
we define
ily verified to be monotone (see condition 2). The function
??
????
?
??
?, and
? ??????????????????. The
?.
?
?????????
??????????
??, which is eas
?
ture to which a given state pertains, thereby enabling us to
switch from one substructure to the other. For simplicity,
we write just
?then toggles the variable
?
?that identifies the substruc
? for
?
?from this point on. Further, we have:
???
?
?
?
?
??????
??? for all
? that are initially bad
???
?
?
?
?
??????
??? for all
?
?
?
???
?
?
?
?
????
?????
?? for all
?
?
?
???
?
?
?
?
??????
??? for all
?
?
?
????
?
?
?
?
??????
??? for all
?
?
?
In Section 4 we will need to refer to the Kripke structure
formed by the states
tion establishes a notation for this purpose:
???
?
?
?
?only. The following defini
Definition 7 (Restriction of a Kripke Structure) Given a
Kripke structure
a Boolean expression
state set
????
?
?
?
??
?? over thevariables
? and
? over
?, the restriction of
? to the
?
??
?is
??
?
?????
?
?
??
?
?
??
?
?
??
?
?, where:
???
?
?????
?,
???
?
?????
??
?,
???
?
????
?
???
?
??,
???
?
?????
?
????
undefined
if
otherwise
?
???
?
For example,
carding the left substructure of
Any formula
subset of the states of
tion, which maps states from the Kripke structure back to
the originating automaton:
?
?
?
??
?means the structure obtained by dis
?
?in Figure 3.
? over the variables
?
?also describes a
? according to the following projec
Definition 8 (Kripke Structure State Projection) Given
an automaton
?, its associated Kripke structure
?
?and a
?calculus formula
projection of
? over the variables
?
?, we define the
???
?
?onto the state set
? of
? as:
???
?
?
?
?
?
?
????
??????
?
?
????
??????
?
?
?
?
With this projection, we can construct an automaton from
? by restricting the state set of the original automaton
to
ton into a Kripke structure, compute a subset of states, and
translate the result back to an automaton. For example, the
?
???
?. This completes the toolset to convert an automa
set of states of
laying in
?
?
Æ that are accessible only through states
? is given by:
?
??
?
??
?
????
?
??
?
?
?
?
??
(3)
where
states of
laying in
?
? represents the states of
Æ that are coaccessible only through states
?. Similarly, the set of
?
?
? is given by
??
??
?
?, with:
?
??
?
??
?
????
?
??
?
?
?
??
(4)
Of special interest is the alternation depth of a fixpoint ex
pression [6, 10] or an equation system. Roughly speaking,
this is the nesting depth of alternating
whose computation depends on each other. Expressions
with a single operator have alternation depth 1 and are also
calledalternationfree. Thealternationdepthofanequation
system is the largest number of blocks of formulas seeking
for a least or greatest fixpoint in the equation system that
depend on each other to compute. The following result [13]
will be useful to assess the computationalcomplexityof our
solution1:
? and
?operators
Theorem 1 (Complexity of
For every equation system
length
sides of the equations in the system, and every Kripke
structure
compute its solution in time
?Calculus Model Checking)
? of alternation depth
?, whose
??
? is given by the sum of the lengths of the right
????
?
?
?
??
??, there is an algorithm to
?
?
?
??
????
?
?
???
?????
?
?
?
Corollary 1 A system of equations of constant length and
alternationdepth
to an automaton can be solved in time
? written for a Kripke structure associated
?
?
???
?
???
?
?
Proof. By construction, the Kripke structure from Defini
tion 4 has
???????? and
???????????. For constant
??
?, the result follows immediately.
3.3Solving SCP
In this subsection, we present the solution for SCP in a
new form. Our approach differs from the existing ones
in that we replace the textual description of the algorithm
by a system of
use the Kripke structure associated to
constructed so that
is amenable to further mathematical manipulation, leading
naturally to the generalisation we propose.
?calculus equations. For that purpose, we
?
?
??
?, with
?
?
?
?
??
?
??
?. The solution obtained
1This holds when the function
which we assume.
?
? can be computed in time
?
???,
Proceedings of the First ACM and IEEE International Conference on Formal Methods and
Models for CoDesign (MEMOCODE’03) ISBN 0769519237/03 $17.00 © 2003 IEEE
Authorized licensed use limited to: Technische Universitat Kaiserslautern. Downloaded on March 16, 2009 at 07:48 from IEEE Xplore. Restrictions apply.
Page 6
There are two different approaches in the literature to
solve SCP, namely the original algorithm [19, 3, 18] and
the one given in [8]. The first approach compares the au
tomata
bad and then removes them from
transitions. Next, the resulting automaton is made trim, i.e.,
accessible and coaccessible. Because removing bad states
can destroy coaccessibility and removing noncoaccessible
states can expose new bad states, the algorithm is restarted
with the trimmed automaton replacing the initial automa
ton
search for initial bad states has to be repeated at each itera
tion. Since this requires information from
present in our Kripke structure, this approach is not well
suited as a base for our new formulation.
On the other hand, the algorithm from [8] does not elim
inate bad or noncoaccessible states from
iteration, but collects them and delays elimination until a
fixpoint is reached. A state is considered bad if it has an
uncontrollable transition leading to a state already classi
fied as bad or noncoaccessible. The trimming operation
is substituted by collecting noncoaccessible states and by
taking the accessible component of the automaton obtained
after the fixpoint has been reached. The initial bad states
have to be computed only once at the beginning of the so
lution process. This corresponds to the computation of the
set
structure associated to
solution on the latter approach.
We have derived
for the noncoaccessible states in [20]. However, the gener
alisations we aim at now are best described in terms of the
states to be preserved, instead of those to be eliminated. We
shall therefore collect the coaccessible states (instead of the
noncoaccessible ones) into a set denoted
plement of the bad states, which we call good states, into
the set
When collecting states, it is important to choose the ap
propriate half of the Kripke structure according to the tran
sitions that matter in each case. For the good states, the
computation has to be carried out on the substructure iden
tified by
ter. For the coaccessible states, all transitions are relevant,
and hence this computation has to be done on the substruc
ture identified by
statesinthecomputationofthecoaccessiblestates andvice
versa, we switch from one substructure to the other using
the function
by setting
sible states that are good:
?
?and
?
?
??
?to find all states that are initially
?
?
??
?along with their
?
?
??
?, until a fixpoint is reached. Therefore, the
?
?which is not
?
?
??
?at each
?
?
?
?
?
?, which is part of the construction of the Kripke
?
?
??
?, and hence we base our
?calculus expressions for the bad and
?
?and the com
?
?.
?
?, since only the uncontrollable transitions mat
??
?. When it comes to consider the good
?. Hence the expression for
?
?can be derived
?
?
?
???
?
? in equation 4 to keep only coacces
?
?
?
?
???
?
?????
?
?
?
?
?
??
(5)
An expression for
we start with an expression for the bad states and comple
ment it later. We collect the bad states into a set denoted
?
?is difficult to obtain directly, so
?
lable transitionleadinginto a state that was alreadyfoundto
be bad or noncoaccessible. The initial value for
andthenoncoaccessiblestates aregivenby
maps them on the corresponding states on the substructure
identified by
?, adding a new state to this set when it has an uncontrol
?
?is
?
?,
????
?
?, which
?
?. The expression for
?
?is thus:
?
?
?
?
??
?
?
?
?????
?
???
?
?
?
(6)
The expression for
tion 6 and substituting
ment brings in unwanted states identified by
plicitly restrict the result to
thecomplementmakes
the following system of equations:
?
?is obtained by complementingequa
?
?for
??
?. Because the comple
??
?, we ex
?
?in equation 8. Note also that
?agreatest fixpoint. Wethenhave
?
?
?
?
?
?
???
?
?????
?
?
?
?
?
?
(7)
(8)
?
?
?
?
?
?
?
??
??
?
?
???
?
?????
?
?
Note that
the states that are coaccessible and controllable. Hence the
solution for SCP is the automaton derived from the acces
sible states of
puted by setting
result to the states
??
?
?
?
?
??
?
?
?
?
?. Therefore,
?
?contains
?
?. The set of accessible states can be com
?
?
?
?
?in equation 3 and restricting the
??
?:
?
??
?
???
?
?
?
?
????
?
??
?
?
?
?
??
(9)
The above discussion is a proof of the following:
Proposition 1 (Solution of SCP) The solution of SCP is
given by restricting the automaton
?
?
??
?to the states
??
??
?
?
?
??
?, with
?
??given by equation 9.
The complexity of the overall computation is given by
Corollary 1. Since the system of equations 7 and 8 has
?
?
?, we get
illustrates the computation of the fixpoints is given in [20].
We can now proceed to our main result, which allows
using other equations to describe the states to be collected,
thereby generalising the class of problems that can be
solved.
?
??
??
?
????, as expected [12, 3]. An example that
4Generalising Supervisor Synthesis
This sectiondiscusses limitations ofSCP andintroducesthe
generalised version of the problem, GSCP. Several general
isation possibilities are presented in Subsection 4.2, and the
solution for GSCP is presented in Subsection 4.3. Again,
Corollary1enablesustoassess thecomputationalcomplex
ity of any solution derived through generalisation.
Proceedings of the First ACM and IEEE International Conference on Formal Methods and
Models for CoDesign (MEMOCODE’03) ISBN 0769519237/03 $17.00 © 2003 IEEE
Authorized licensed use limited to: Technische Universitat Kaiserslautern. Downloaded on March 16, 2009 at 07:48 from IEEE Xplore. Restrictions apply.
Page 7
4.1Generalised Supervisory Control Problem
The solution for SCP presented in Subsection 3.3 gener
ates an automaton
and nonblocking, i.e., coaccessible. While controllability
is likely to be required in any synthesis result, it is not dif
ficult to imagine problems in which coaccessibility is not
adequate to specify a desired behaviour. For example, sup
pose the system to be controlled is a manufacturing cell de
signed to produce a number of different parts, and that we
want to restrict its behaviour through some specification.
Suppose further that we want the resulting supervisor to al
low the system to always be able to produce any of those
parts. The last condition is a fairness constraint that can
not be expressed within SCP: If we model the production
of each part as a finished task using marker states and apply
the standard synthesis algorithm, then every nonempty su
pervisor will allow the system to reach at least one marker
state. However, there is no guarantee that all marker states
can be reached, and even if they can, it is still another prob
lem to find out if they continue to be reachable all the time.
In theory, the minimally acceptable behaviour
formulation of SCP in Definition 3 could be used to reject
an incomplete solution, but then the problem is transferred
to finding out what
determine, it could already be regardedas a solution, which
we don’t have by hypothesis.
This leads naturally to the question whether specifica
tions like the above can be included in the synthesis pro
cessbymodifyingtherequirementforcoaccessibility,while
controllability continues to be computed as before. The
states fulfilling the new requirement would be computed
on the same substructure used to compute the coaccessi
ble states, and the new requirement must be fulfilled in ev
ery state of the right side of the Kripke structure
much like the requirement in SCP that all those states are
coaccessible.
In the sequel, we bring in a series of fixpoint specifica
tions used in formal verification. Each of them is an expres
sion in temporal logics that can be interpreted as a require
ment on the states of
supervisory control problem by replacing the requirement
for a nonblocking supervisor by a temporal logics condi
tion. Our generalised problem is formulated as follows2:
?
?such that
?
?
??
?is controllable
?
???in the
?
???should be. If this were easy to
?
?
?
??
?,
?
?
?
??
?. We therefore generalise the
Definition 9 (Generalised Supervisory Control Problem)
(GSCP) Given a plant
by both a language
condition
?
?and a specification represented
??
?
?
??
?
? and a temporal logics
?, find a supervisor
?
? for
?
? such that
?
?
??
?
??
?
??? and
?
?
?
??
?
?
??
?
??
??
?.
Before presenting the solution for GSCP, we give some
examples of what the temporal logics condition
? could be.
2The symbol
?
? is read ’satisfies’
4.2Examples of Fixpoint Specifications
This subsection lists temporal logics expressions used in
the design of reactive systems. Such expressions repre
sent states of a Kripke structure that satisfy some tempo
ral property. For example, the expression
the states from which there is an infinite path that eventu
ally reaches a state whose labelling satisfies the Boolean
expression
pression can be computed translating the expression into a
system of
the desired set of states. Temporal logics expressions are
thus used in formal verification to solve the model checking
problem,which consists of solving the correspondingequa
tion system and to check whether its solution contains the
initial states of the Kripke structure.
In contrast, we shall use the solution of the equation sys
tem to restrict the Kripke structure
satisfying the desired property, thereby synthesising a su
pervisor as formulated in GSCP. The problems that can be
solved are not limited to the expressions presented below,
but open to any expression written according to a specific
need. The following ones are just examples to illustrate the
application of the generalised approach.
??? stands for
?. The states satisfying any temporal logics ex
?calculus equations (cf. [13]) whose solution is
?
?
?
??
?to the states
?
??? holds in every state of a structure that has an
infinite path that runs through states that satisfy the
property
calculus as:
?. This property can be expressed in the
?
?
?
?
???
??
?
?
??? holds in every state of a structure that has an infi
nite path that reaches a state that satisfies the property
?. Its
?calculus definition is:
?
?
?
?
??
?
?
?
?????
??
?
? represents the set of states that have an infinite path,
and
a state where
? will therefore satisfy those states that can reach
??? holds.
? If
??? is not to be restricted to infinite paths, we write
??
??
??
(10)
This means that
tem above, which is reduced to:
? can be dropped in the equation sys
?
?
?
?
??
??
?
?
???
an infinite path that reaches a state that satisfies the
property
?
?? holds in every state of a structure that has
?, and up to (but not necessarily including)
Proceedings of the First ACM and IEEE International Conference on Formal Methods and
Models for CoDesign (MEMOCODE’03) ISBN 0769519237/03 $17.00 © 2003 IEEE
Authorized licensed use limited to: Technische Universitat Kaiserslautern. Downloaded on March 16, 2009 at 07:48 from IEEE Xplore. Restrictions apply.
Page 8
this state, will only run through states that satisfy the
property
?. Its
?calculus definition is:
?
?
?
?
???
?
?
?
?
?
?
?
?
?
???
? represents the set of states that have an infinite path,
and
a state where
? will therefore satisfy those states that can reach
?
?
? holds, while only states satisfying
? may be traversed.
?
???
ers finite paths. Dropping the equation for
the above equation system to:
?
??
?
? is the version of
?????
? that also consid
? reduces
?
?
?
?
?
?
?
?
???
?
??
where after some point of time
translates to:
?? holds in states that have at least one infinite path
? always holds. This
?
?
?
?
?
?
???
?
?
?
?
?
???
As in our first example,
that have an infinite path where
computes the set of states that can reach the set
possibly finite path.
? computes the set of states
? always holds.
?
? via a
? If we want to compute the set of states that can reach
a state with some property
states satisfying
equation system is appropriate:
? at least twice, while only
? maybetraversed,thenthefollowing
?
?
?
?
?
?
?
?
?
?
?
?
???
?
?
?
?
?
?
?
?
?
?
???
?
?
?
?
?
?
?
?
???
?
?
?
?
?
?
?
?
?
???
?
? Again, finite paths can be considered by dropping
?:
?
?
?
?
?
?
?
?
?
?
?
?
?
???
?
?
?
?
?
?
?
?
???
?
?
?
?
?
?
?
?
?
???
?
?
???? holds in states that have at least one path where
states satisfying
is computed as follows:
? are traversed infinitely often. This
?
?
?
?
?
?
?
?
???
?
?
?
???
? We will now extend the previous condition in that the
path should additionally only run through states satis
fying
satisfy the property
?. Hence, we want to compute the states that
??
??
?
????:
?
?
?
?
?
?
?
?
?
?
???
?
?
?
?
?
???
? We extend the previous condition once more consid
ering different sets of states
infinitely often. The property to be computed is
?
?that should be reached
?
?
??
?
?
?
???
???
?
?
?
(11)
which can be expressed in the
?calculus as follows:
?
?
?
?
?
?
?
?
?
?
?
?
?
...
?
?
?
?
?
?
?
?
?
???
?
?
?
?
?
?
?
?
?
?
?
?
???
?
?
?
?
?
?
?
?
???
???
?
? Finally, we consider the property
?
?
?
?
??
???
?
?
???
?,
which is known as the acceptance condition of Rabin
automata used in [15, 16].
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
...
?
?
?
?
?
?
?
?
?
???
?
?
?
?
?
?
?
?
?
?
?
?
???
?
?
?
?
?
?
?
??
???
?
?
?
?
?
???
?
?
?
?
?
???
4.3Solving GSCP
We can nowpresent ourmain result, which consists of com
biningthesolutionforSCP presentedinSubsection3.3with
the conditionsrepresentedby equationsystems like those in
Subsection 4.2. Our generalisation is governed by the fol
lowing principle, which we assume to have an axiomatic
character: while coaccessibility can be exchanged by any
other condition, controllability must always be respected.
Formally, we mean that equation 7 can be replaced by
any set of equations needed to specify some desired prop
erty, while equation 8 has to be modified so that the states
having the new property take the place of
of equations presented in Subsection 4.2 have the general
form:
?
?. The systems
?
?
?
?
?
?
?
?
?
?
?
?
?
...
?
?
??
?
?
?
?
?
??
?
?
?
???
??
Proceedings of the First ACM and IEEE International Conference on Formal Methods and
Models for CoDesign (MEMOCODE’03) ISBN 0769519237/03 $17.00 © 2003 IEEE
Authorized licensed use limited to: Technische Universitat Kaiserslautern. Downloaded on March 16, 2009 at 07:48 from IEEE Xplore. Restrictions apply.
Page 9
Here,
ing to our argumentation in Subsection 4.1, this condition
shouldbe appliedonly to the substructureof
inally used to compute the coaccessible states. This can be
achieved by restricting the expressions for
? is the set of states satisfying condition
?. Accord
?
?
?
??
?orig
?
?
?????
?
?and
? to
all paths in the solution contain only good states, which im
plies restricting the above state sets to
generalised equation system has the following pattern:
??
?. Further, looking for a supervisor requires that
???
?
?. Hence the
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
...
?
?
?
???
?
????
?
??
?
?
?
?
?
?
???
?
????
?
??
?
?
?
???
?
???
?
????
?
??
?
?
?
?
?
?
?
??
??
?
?
???
?????
?
?
As in Subsection 3.3, the accessible states from
computed by making
the result to the states
? can be
?
?
?
? in equation 3 and restricting
??
?:
?
??
?
???
?
?
?
?????
??
?
?
?
?
??
(12)
The above discussion is a proof of the following:
Proposition 2 (Solution of GSCP) The solution of GSCP
is given by restricting the automaton
?
?
??
?to the states
??
??
?
?
?
??
?, with
?
??given by equation 12.
4.4Generalisation Examples
As a first example, let us derive the solution for SCP from
the generalised problem. SCP requires that every state has
a path (no matter whether finite or infinite) leading to a
marker state. This can be expressed by the temporal log
ics condition
and
we get:
??
??
?. Substituting
?
?
?
?in expression 10
?
?
?
?in the generalised solution pattern for GSCP
?
?
?
?
?
?
???
?
????
?
???
?
?
???
?
?
?
?
?
?
?
?
??
?
?
?
?
???
?
?????
?
?
The first equation can be simplified if we note that the com
putationof
fixpoint) and that the states
identified by
point never yields states of
out by the conjunction with
dropped, which transforms the first of the equations above
in equation 7. The second equation is already equation 8.
As a second example, we solve the fairness problem de
scribed in Subsection 4.1. Let the states that should re
main reachable infinitely often be
temporal logics expression that formalises the problem is
?
?starts with the empty set (because it is a least
?
?are all on the substructure
??
?. Therefore, the computation of the fix
?that would have to be cut
?
??
?. Hence the latter can be
?
?
??????
?. Then the
??
cording to Subsection 4.3, the generalised equation system
is:
?
?
???
???
?
?, which is expression 11 with
?
?
?. Ac
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
...
?
?
???
?
????
?
???
?
?
?
?
???
?
?
?
?
?
?
???
?
????
?
???
?
?
?
?
???
?
?
?
?
?
?
???
?
????
?
?
?
?
???
???
?
?
?
?
?
?
?
??
??
?
?
???
?????
?
?
The supervisor can again be constructed by restricting
the automaton
computational complexity of the solution can also be eas
ily assessed: Since the system of equations above has al
ternation depth 2, this problem has the same computational
complexity as SCP, namely
?
?
??
?to the set of states
?
?
?
?
?
??
?. The
?
??
??
?
????.
5Conclusion
The paperpresents the RamadgeWonhamsupervisorycon
trol problem in a new formulation using a system of
?calculus equations. In addition to providing a formal de
scription of its solution, this approach naturally separates
the representation of the two requirements of the problem,
namely controllability and coaccessibility. This allows us
to exchange the latter condition by any temporal logics ex
pression,andtherebytoextendtheadvantagesofsupervisor
synthesis to the whole class of
problems. The computational complexity of each generali
sation can be assessed easily from the alternation depth of
the system of equations representing the solution.
?calculus model checking
References
[1] A. Arnold, A. Vincent, and I. Walukiewicz.
for synthesis of controllers with partial observation.
http://www.labri.fr/Perso/˜vincent/Research/publications.html,
2002.
[2] J. Burch, E. Clarke, K. McMillan, D. Dill, and L. Hwang.
Symbolic Model–Checking:
Proc. LICS, 1990.
[3] C. G. Cassandras and S. Lafortune. Introduction to Dis
crete Event Systems. Kluwer Academic Publishers, Boston,
U.S.A., 1999. ISBN 0792386094.
[4] E. M. Clarke, Jr, O. Grumberg, and D. A. Peled. Model
Checking. The MIT Press, London, U.K., 1999. ISBN 0
262032708.
[5] R. Cleaveland, M. Klein, and B. Steffen.
Model Checking for the Modal
G.v. Bochmann,editor,
Computer Aided Verification
(CAV’92), volume 663 of LNCS, pages 410–422, Heidel
berg, Germany, 1992. SpringerVerlag.
[6] E. Emerson and C.L. Lei. Efficient model checking in frag
ments of the propositional mucalculus. In IEEE Sympo
sium on Logic in Computer Science (LICS), pages 267–278,
Washington, D.C., 1986. IEEE Computer Society Press.
Games
??
??States and Beyond. In
Faster
In D. P.
?Calculus.
Proceedings of the First ACM and IEEE International Conference on Formal Methods and
Models for CoDesign (MEMOCODE’03) ISBN 0769519237/03 $17.00 © 2003 IEEE
Authorized licensed use limited to: Technische Universitat Kaiserslautern. Downloaded on March 16, 2009 at 07:48 from IEEE Xplore. Restrictions apply.
Page 10
[7] E. A. Emerson, C. S. Jutla, and P.Sistla. On modelchecking
for fragments of
Computer Aided Verification, volume 697 of LNCS, pages
385–396, Elounda, Greece, 1993. Springer Verlag.
[8] R. Kumar and V. Garg.
Modeling and Control of Logi
cal Discrete Event Systems. Kluwer Academic Publishers,
1995. ISBN 0792395387.
[9] J.L. Lassez, V. Nguyen, and E. Sonenberg. Fixed point the
orems and semantics: a folk tale. Information Processing
Letters, 14(3):112–116, May 1982.
[10] D. Niwinski. On fixed point clones. In International Collo
quium on Automata, Languages and Programming (ICALP),
pages 464–473. L. Kott, Ed., vol 226 of LNCS, Springer
Verlag, 1986.
[11] P. J. Ramadge and W. M. Wonham. Supervisory control of
a class of discrete event processes. SIAM J. of Control and
Optimization, 25(1):206–230, 1987.
[12] P. J. Ramadge and W. M. Wonham. The control of discrete
event systems. Proceedings of the IEEE, 77(1):81–98, 1989.
[13] K. Schneider. Verification of Reactive Systems – Algorithms
and Formal Methods. EATCS Texts. Springer, 2003.
[14] A. Tarski. A latticetheoretical fixpoint theorem and its ap
plications. Pacific J. Math., 5(2):285–309, 1955.
[15] J. G. Thistle and W. M. Wonham. Control of infinite behav
ior of finite automata. SIAM J. of Control and Optimization,
32(4):1075–1097, 1994.
[16] J. G. Thistle and W. M. Wonham. Supervision of infinite
behavior of discrete–event systems. SIAM J. of Control and
Optimization, 32(4):1098–1113, 1994.
[17] Th. Wilke. Alternating Tree Automata, Parity Games, and
Modal
[18] W. M. Wonham. Notes on control of discreteevent sys
tems. Technical report, Dept. of Electrical and Computer
Engineering, University of Toronto, Jul. 2002. Available at
http://www.control.utoronto.ca/DES.
[19] W. M. Wonham and P. Ramadge. On the supremal control
lable sulanguange of a given language. SIAM J. Control and
Optimization, 25(3):637–659, May 1987.
[20] R. M. Ziller and K. Schneider. A
Supervisor Synthesis. In GI/ITG/GMM–Workshop Metho
den und Beschreibungssprachen zur Modellierung und Ver
ifikation von Schaltungen und Systemen, pages 132–143,
2003.
?calculus. In C. Courcoubetis, editor,
?Calculus. Bull. Soc. Math. Belg., 8(2), May 2001.
?Calculus Approach to
Proceedings of the First ACM and IEEE International Conference on Formal Methods and
Models for CoDesign (MEMOCODE’03) ISBN 0769519237/03 $17.00 © 2003 IEEE
Authorized licensed use limited to: Technische Universitat Kaiserslautern. Downloaded on March 16, 2009 at 07:48 from IEEE Xplore. Restrictions apply.
View other sources
Hide other sources
 Available from Klaus Schneider · May 23, 2014
 Available from Klaus Schneider · May 23, 2014
 Available from unikl.de
 Available from unikl.de