# A generalized approach to supervisor synthesis

**ABSTRACT** We present a generalization of the supervisory control problem proposed by Ramadge and Wonham. The objective of that problem is to synthesize a controller, which constrains a system's behavior according to a given specification, ensuring controllability and co-accessibility. By introducing a new representation of the solution using systems of μ-calculus equations we are able to handle these two conditions separately and thus to exchange the co-accessibility requirement by any μ-calculus expression. Well-known results on the complexity of μ-calculus model checking allow us to easily assess the computational complexity of any generalization. As an example we solve the synthesis problem under consideration of fairness constraints.

**0**Bookmarks

**·**

**100**Views

- [Show abstract] [Hide abstract]

**ABSTRACT:**Zusammenfassung In dieser Arbeit werden neue Erkenntnisse zur Modellierung und zur Spezifikation von Systemen mit diskreten Zustandsräumen vorgestellt. Ein automatisches Verfahren erlaubt es, unter Berücksichtigung verschiedener Systemeigenschaften, unerwünschte Zustände während der Modellierungsphase zu erken-nen und auszuschließen. Das Verfahren besteht aus einer Kombination der Überwachersynthese und der µ-Kalkül-basierten Modellprüfung. Die formale Darstellung der Systeme und deren Eigenschaften führt zu fehlerfreien Ergebnissen, vorausgesetzt, die informalen Angaben, aus denen die formale Eingabe ent-steht, wurden richtig interpretiert und in die formale Eingabe übersetzt. Den Entwicklern wird ein neues, vorteilhaftes Werkzeug zur Verfügung gestellt, das sich schrittweise in bestehende Verfahren integrieren lässt, ohne bisher praktizierte Entwicklungsprozesse zu beeinträchtigen. - SourceAvailable from: Klaus Schneider
##### Conference Paper: Synthesizing deterministic controllers in supervisory control.

ICINCO 2005, Proceedings of the Second International Conference on Informatics in Control, Automation and Robotics, Barcelona, Spain, September 14-17, 2005, 4 Volumes / CD; 01/2005 - SourceAvailable from: Klaus Schneider
##### Conference Paper: Using Model Checking to Solve Supervisor Synthesis Problems

[Show abstract] [Hide abstract]

**ABSTRACT:**Verification procedures, which check whether a given system satisfies a given specification, are nowadays mature for industrial usage. The more general supervisor synthesis problem asks how a system has to be restricted or which actions have to be selected such that the system satisfies a given specification. Supervisor synthesis problems are often formulated in frameworks like game structures that are more general than the Kripke structures that are traditionally used in verification. For this reason, current verification tools can not be used for supervisory control problems. In this paper, however, we present a reduction of alternating time μ-calculus model checking problems (on game structures) to model checking problems of the μ-calculus on Kripke structures. As a result, arbitrary model checkers can be used to solve supervisor synthesis problems. As a demonstration of the applicability of our approach, we show how the classical supervisory control problems of Ramadge and Wonham can be solved within our framework.Decision and Control, 2005 and 2005 European Control Conference. CDC-ECC '05. 44th IEEE Conference on; 01/2006

Page 1

A Generalised Approach to Supervisor Synthesis

Roberto Ziller

University of Karlsruhe

Institute for Computer Design and Fault Tolerance

P.O. Box 6980, 76128 Karlsruhe, Germany

email: ziller@informatik.uni-karlsruhe.de

Klaus Schneider

University of Kaiserslautern

Department of Computer Science

P.O. Box 3049, 67653 Kaiserslautern, Germany

email: Klaus.Schneider@informatik.uni-kl.de

Abstract

We present a generalisationof the supervisory control prob-

lem proposed by Ramadge and Wonham. The objective of

that problem is to synthesise a controller which constrains

a system’s behaviour according to a given specification,

ensuring controllability and coaccessibility. By introduc-

ing a new representation of the solution using systems of

?-calculus equations we are able to handle these two con-

ditions separately and thus to exchange the coaccessibility

requirement by any

sults on the complexity of

us to easily assess the computationalcomplexity of any gen-

eralisation. As an example we solve the synthesis problem

under consideration of fairness constraints.

?-calculus expression. Well-known re-

?-calculus model checking allow

1Introduction

Manyembeddedsystemsusedinsafety-criticalapplications

consist of reactive real-time controllers, whose design re-

quires automatic tools to improve efficiency and avoid er-

rors made by humans. Modern verification methods [4] al-

low designers to checka givenspecification for a controller,

butdonotsupporttheactualspecificationprocessexceptfor

providing a simulation trace when an error has been found.

Ideally,the specification itself shouldbe generatedby a tool

that takes the informal requirements of the designer and ei-

ther outputs a correct specification or rejects them if they

cannot be implemented.

A solution that takes the latter approach is offered by the

Ramadge-Wonham framework [11, 18]. The main idea is

therebyto model the physicallypossible behaviourof a sys-

tem and the specification for its desired behaviour by finite-

state machines. The method can be used to check whether a

controller that ensures the specification can be constructed

and, if this is not the case, to compute the largest subset of

the specification for which a controller exists. This can then

be used in place of the original specification, as long as the

resulting behaviour is still acceptable.

The above is an informal description of the supervisory

control problem formulated and solved by in [11, 19]. Its

solution is required to satisfy two conditions. The first one

is controllability, meaning that the behaviour of the system

undersupervisionmustremainwithinthespecification. The

second one is coaccessibility, meaning that the system must

always be able to complete at least one task. These require-

ments are examples of safety and liveness properties. How-

ever, the description of reactive systems often includes fair-

ness propertiesand thereforerequires extendedcapabilities.

In this paper,we generalisethe supervisorycontrolproblem

so that such properties can also be considered.

Related work in this direction uses B¨ uchi and Rabin au-

tomata to model infinite behaviour and to derive results on

controllability analogous to those of the classical frame-

work [15, 16]. However, finite behaviour is not considered.

Besides, translatingan informaldescriptionof a system into

?-automata is not a trivial task, and the absence of direc-

tions to support that translation leaves a gap between theo-

retical possibilities and application.

An approach that can handle both finite and infinite be-

haviour is found in [1]. The system and its specification

are described using

translated into alternating tree automata, and the supervisor

synthesis problem is reduced to the

problem [17], which is in turn cast as a search for winning

strategies in parity games [7].

In contrast, ourapproachreducesthe supervisorycontrol

problemtothe

depart from specifications written in temporal logics, which

have equivalent formulations in the modal

fined over systems of fixpoint equations. We illustrate our

point of view with several specifications taken from veri-

fication literature [13], which we extend to encompass the

RW-controllability condition. The result is a generalised

framework, of which the basic RW-Model and the exten-

sion in [16] are special cases. Moreover, the

equations are well-suited for implementation with sym-

bolic methods, which efficiently reduce the state explosion

?-calculus formulas. These are are

?-calculus satisfiability

?-calculusmodelcheckingproblem[17]. We

?-calculus de-

?-calculus

Proceedings of the First ACM and IEEE International Conference on Formal Methods and

Models for Co-Design (MEMOCODE’03) ISBN 0-7695-1923-7/03 $17.00 © 2003 IEEE

Authorized licensed use limited to: Technische Universitat Kaiserslautern. Downloaded on March 16, 2009 at 07:48 from IEEE Xplore. Restrictions apply.

Page 2

problem [2]. The chosen approach also enables us to use

well-known results on the complexity of

checking [5] to derive the time complexity of any gener-

alisation. Finally, the

stoodbytoolsoriginallyintendedforverification,whichare

hereby extended to also handle controller synthesis.

The paper is organisedas follows: Section 2 presents the

Ramadge-Wonham framework and the supervisory control

problem (SCP). Section 3 brings in

to present the known solution to SCP in a new formula-

tion. Section 4 presents our generalised supervisory control

problem along with several specification examples and its

solution. The conclusion summarises the work.

?-calculus model

?-calculus description can be under-

?-calculus expressions

2The Ramadge-Wonham Framework

The frameworkparallels continuoussystems controltheory,

in which a system and its controller form a closed loop.

There,thefeedbacksignalfromthecontrollerinfluencesthe

behaviourofthesystem, enforcinga givenspecificationthat

would not be met by the open-loop behaviour. This foun-

dation on control theory explains some of the terminology

adopted within the RW-framework, like the terms discrete

event system (to designate an event-driven, discrete-space

system, in opposition to time-driven, continuous systems)

and plant (to designate the system to be controlled). It also

leads naturally to the basic assumption that the description

of the plant encompasses the whole physically possible be-

haviour of the system to be controlled (including unwanted

situations), and that a specification is a subset of this be-

haviour that corresponds to the actions wanted to remain

executable under control.

The plant is viewed as a system that generates events. It

is also assumed that it has a control input, through which

some of the events that could happen in each state can be

prevented from occurring. The controller, referred to as su-

pervisor, is an external agent that has the ability to observe

the events generated by the plant and to influence its be-

haviour through the control input, as illustrated in Figure 1.

Plant

Supervisor

Events

Control action

Figure 1. The basic RW-model

Control problems are formulated using language theory

andfiniteautomata. Afiniteautomatonis a5-tuple

????,

??Æ,

?

?,

?

?, where

? is a set of events,

? is a set of states,

Æ

initial state. The states in the set

mark the completion of tasks by the system and are there-

fore called marker states. Those readers familiar with the

?

?

???

? is a transition relation, and

?

?

?

? is the

?

?

? are chosen to

RW-literature will recall that

partial deterministic function. We use a relation instead be-

cause this simplifies notation later on. We write

to signify that

functionality, we require the relation to be deterministic,

that is,

In the following, it is convenient to define the set of ac-

tive events

is a transition leaving state

Æ is traditionally defined as a

Æ

??????

?

?

??????

?

??

Æ. In order to ensure the same

Æ

??????

?

??

Æ

??????

??

??

?

?

?

?

??.

???

?

??

? as the subset of events for which there

?:

Definition 1 (Active Events) Given an automaton

??

???

active events of

??Æ??

?

??

? and a particular state

?

?

?, the set of

? is:

???

?

??

?????

?????

?

?

??Æ

??????

?

???

When a plant and its supervisor are represented by fi-

nite automata

of the latter amounts to running these automata in parallel,

according to the following definition:

?

?and

?

?, respectively, the control action

Definition 2 (Automata product) Giventwoautomata

?

?

???,

?

?,

Æ

?,

?

?

?,

?

?

? and

?

?

???,

?

?,

Æ

?,

?

?

?,

?

?

?, the product

?

?

??

?is the automaton

??,

?

?

?

?

?,

Æ

???,

??

?

?

??

?

?

?,

?

?

?

?

?

?, where

Æ

???

?????

????

??

?

??

?

???

Æ

?

??? ???

?

??

Æ

?

??????

?

??

Note that if a given transition is present in only one of the

states

? or

?, it will not be present in state

????

?, i.e.,

???

?

?

??

?

?????

???

???

?

?

????

???

?

?

??

??

The control action of the supervisor enables only the events

in

event

???

?

?

??

?. Hence, in order to forbid the occurrence of

? when

?

?

??

?is in state

????

?, it suffices to omit

? in state

However, reactive systems may contain events that can

not be prevented from occurring, e.g. system failures and

sensor or alarm signals. Therefore, the event set

tioned into the sets of controllable events

pervisor can disable) and uncontrollable events

occurrence cannot be avoided). This places a condition on

the existence supervisors: a specification given by an au-

tomaton

for everystate

?.

? is parti-

?

?(which the su-

?

?(whose

?

? can be implemented by a supervisor only if,

????

? of

?

?

??

?, every eventin

???

?

?

????

???

?

Specifications that do not fulfill this requirement are

termeduncontrollable,becausetheyallowtheplanttoreach

a state in which uncontrollable events can occur and, at the

same time, try to forbid the occurrence of one or more of

theseeventsinthatstate. Formally,thismeansthattheprod-

uct

?

??

?

?????

?? is controllable.

?

?

??

?has one or more bad states, which are states

????

? that fail to satisfy the following condition:

???

?

?

??

?

?????

???

???

?

?

?????

?

?

(1)

Proceedings of the First ACM and IEEE International Conference on Formal Methods and

Models for Co-Design (MEMOCODE’03) ISBN 0-7695-1923-7/03 $17.00 © 2003 IEEE

Authorized licensed use limited to: Technische Universitat Kaiserslautern. Downloaded on March 16, 2009 at 07:48 from IEEE Xplore. Restrictions apply.

Page 3

Analysingthecontrollabilityofaspecificationfurtherre-

quiressomelanguagetheory: Everyautomaton

sociated marked language, denoted

of all event sequences that end up in a marker state, hence

representingthe tasks the system is able to complete. When

?has anas-

?

?

???, which consists

Æ is extended in the usual way to process strings from

?

?,

?

?

????

?

?

?

?

?

?Æ

?

?

?

? ???

?

?

?

?

?

?

?

Given a specification automaton

?

?, the language

??

?

?

??

The marked language of plant

supervisor

?

? is controllable if and only if

?

?has no bad states.

?

? under control of

?

? is

?

?

??

?

?

?

?

?

??

?

?, and is denoted

?

anyplant

there exists the supremal controllable sublanguage of

denoted

thatthespecificationlanguage

sible to compute

such that

place the original specification, as long as the resulting be-

haviour under control is still acceptable.

Another aspect to consider is whether the supervisor al-

ways allows the system to make progress towards the com-

pletion of some task. This is not the case when the system

can(1)reachastate inwhichnotaskis finishedandnomore

events can occur (deadlock) or (2) be caught forever within

a subset of states, none of which corresponds to a finished

task (livelock). A supervisor that avoids these situations is

said to be non-blocking. A non-blockingautomatonis coac-

cessible, which means that there is at least one path leading

from every state to a marker state. Controllability and coac-

cessibility come together in the following problem:

?

??

?

??

?

?. Ramadge and Wonham have shown that, for

?

?andanyspecificationlanguage

?

?

?

?

??

?

?,

?,

???????. This result is of practical interest: Given

? is uncontrollable,it ispos-

??????? and to constructa supervisor

?

?

?

?

??

?

??

?

??

????

???. This language can re-

Definition 3 (Supervisory Control Problem (SCP) [11])

Given a plant

representing the desired behaviour of

pervision,andaminimally

?

?, a specification language

?

?

?

?

??

?

?

?

? under su-

behaviouracceptable

?

that

???

?

?, find a non-blocking supervisor

?

? such

?

???

?

?

?

??

?

??

?

?

?

?.

SCP is solvable if and only if

????

???

?

?

???, and

????

automaton

can be computed from the automata

constructedso that

tomaton is a supervisor, this computation is often referred

to as supervisor synthesis.

The above is a summary of the most important concepts

originally presented in [11, 19, 12]; for a comprehensive

description the reader is also referred to [18, 3].

??? is its least restrictivesolution[11]. Acoaccessible

?

?whosemarkedlanguageisequalto

????

???

?

?and

?

?, with

?

?

?

?

??

?

???. Because the resultingau-

3Classical Supervisor Synthesis

In this section we associate Kripke structures with the au-

tomata used in the RW-framework and define a

?-calculus

over them. Kripke structures are used in Subsection 3.3 to

present a new description of the solution for SCP and are

also needed to present our main result in Section 4. Be-

cause the

with a brief review of basic concepts.

?-calculus is not usual in this context, we start

3.1Fixpoint Calculus

Notations for extremal fixpoints of monotone operators

have been introduced by different authors [9]. In particular,

Tarski’s work [14] has been frequently used in verification

and synthesis literature [6, 15]. The following is an adapta-

tion of the results found in these sources to suit our needs.

An operator

be monotone if, for any subsets

???

?

?

?

?on the powerset

?

?is said to

?

?,

?

?

?

?,

?

?

?

?

?

?

???

?

?

?

???

?

??

(2)

Such an operator has least and greatest fixpoints, which are

the solutions of:

?

?

?????

and

?

?

??????

where the symbols

least and greatest values of

Thesolutionsaredenoted

to satisfy:

?

? and

?

? indicate that we seek for the

? that satisfy these equations.

??????? and

???????, andknown

????????

???

?

?????????

and

????????

???

?

??????????

Given that

can be found by an iteration starting with

puting

The greatest fixpoint can be obtained by the same iteration

starting with

will be applied to the state set of a finite Kripke structure.

There is also another version of the modal

defined on equation systems [5, 13] of the form:

? is finite and

? is monotone, the least fixpoint

?

?

?

? and com-

?

???

????

?

? until, for some

?,

?

?

??

?

??holds.

?

?

??. In this paper, the fixpoint operators

?-calculus,

?

?

?

?

?

?

?

...

?

?

??

?

?

?

?

?

??

?

where

may consist of the propositional operators

themodaloperators

path quantifiers that specify that the property that follows

them in the expression must hold on at least one path ( ?) or

onall paths(?)fromsomestate ina Kripkestructure.

?

?

?????

? for

?

??????????. The formulas

?

?

?,

?, and

?, and

??,

??,

??, and

?? . Here,

? and

? are

? and

? are temporal operators that limit the length of the path on

which

the immediate ancestor states, respectively (see [4, 13] for

background on modal operators and temporal logics). As

usual, we require that the occurrences of all

must occur under an even number of negation symbols.

? has to be fulfilled to the immediate successor or

?

?in every

?

?

Proceedings of the First ACM and IEEE International Conference on Formal Methods and

Models for Co-Design (MEMOCODE’03) ISBN 0-7695-1923-7/03 $17.00 © 2003 IEEE

Authorized licensed use limited to: Technische Universitat Kaiserslautern. Downloaded on March 16, 2009 at 07:48 from IEEE Xplore. Restrictions apply.

Page 4

Any such system of equations can be translated into a

single fixpoint expression that uses the operators

and vice versa [5, 13]. We shall use the equation system to

present our results throughout the paper.

? and

?,

3.2 Automata and Kripke Structures

Definition 4 (Kripke Structure of an Automaton) Given

an automaton

uct of a plant and a specification, we define its associated

Kripke structure

variables

???????Æ??

?

??

? representing the prod-

?

?

???

?

?

?

??

?? over the Boolean

?

?

????

?

?

?

?

?????

?

??

?

??

?

? as follows:

????

?

????

??

???????

?

?

???

??

?

?

???

??????

???

??

?

?

???????

? ?

?

?Æ

??????

?

?

??????

???

??

?

?

???????

???Æ

??????

?

?

??????

???????

?

??

?

??

?

??

?

?

if

otherwise

? is bad

??

??????

???????

?

??

?

??

?

?

if

if

?

?

?

??

?

??

?.

Here,

???

?

??

?(see Section 2),

? is a set of states,

? is the set of initial states, and

????? relates states

??

from

is an event (controllable or not) leading from

?

?? and

??

?

?

?? exactlywhenan uncontrollableeventleads

? to

?

?and states

???

?? and

??

?

?

?? exactly when there

? to

?

?in

?. This creates a structure with two disconnected substruc-

tures, each of which has a copy of the original states in

Finally,

enabling us to address sets of states through Boolean ex-

pressions. Note that the Kripke structure can be constructed

from the automaton in time

As an example, suppose the automaton in Figure 2 rep-

resents the product of some plant and specification. The

composite numbers of the states have been replaced by sin-

gletons for simplicity. States 3 and 5 are assumed to be

bad, and the event set is partitioned into

?.

? labelseachstateof

? witha subsetof

?

?, thereby

?

??

??????.

?

?

?????? and

?

?

?????

?. The two halves of the associated Kripke

0

1

2

3

4

5

?

?

?

?

?

?

?

?

?

?

Figure 2. Example automaton

structure are shown in Figure 3. Each state

with the variable

only where the automaton has uncontrollable transitions,

and its states have in common the label

????? is labelled

?

?. The left substructure has transitions

?

?. Additionally,

0,0

?

?

??

?

1,0

?

?

?

?

?

2,0

?

?

??

?

3,0

?

?

?

?

?

??

?

4,0

?

?

?

?

?

5,0

?

?

?

?

?

??

?

0,1

?

?

1,1

?

?

2,1

?

?

3,1

?

?

4,1

?

?

?

?

?

5,1

?

?

Figure 3. The associated Kripke structure

the states that correspond to bad states in the automaton

have the label

sitions from the automaton, with the label

the state that corresponds to a marker state. Note that

distinguishes the states from the two substructures, and that

theleftside doesnotknowanythingaboutthemarkerstates,

while the right side does not know about the bad states.

The following definitions give syntax and semantics of

?

?. The right substructure reflects all tran-

?

?identifying

?

?

?-calculus formulas:

Definition 5 (Syntax of

ables

as the least set

?-Calculus) Given a set of vari-

?, the set of

?-calculus formulas over

? is defined

?

?that satisfies the following rules:

??????

????

?

???,

?

?

?,

?

?

?

??

?, provided that

???

??

?

?

??

??

??

?

??

?

?

?

?

?????

?, provided that

?

??

?

?

????

??

?, provided that

?

??

?.

Definition 5 differs from those usually found in the liter-

atureinthat it includesthe formula

use any monotone state transformer function

in the computations. In particular, we will define a function

?

?

???. This allowsus to

?

??

?

??

?

? to map states of one of the abovementionedsubstructures

to the other.

Definition 6 (Semantics of

structure

sociate with each formula

by the following rules:

?-Calculus) Given a Kripke

????

?

?

?

??

?? over the variables

?, we as-

???

?a set of states

???

?

??

????

?

????

???

?

?????? for all variables

?

??

?????

?

???????

?

???

?

?

?

?

?????

?

??

?

?

?

???

?

?

?

?

?????

?

??

?

?

?

???

?

????

?

??

?

????

?

? for monotone

?

??

?

??

?

????

??

?

????

?????

?

??

??????

?

??

?

?

????

?

?

????

??

?

????

?

?????

??

??????

?

??

?

????

?

?

???????

?

??

?

??????

??

?

?

?

? ??.

The last expression gives the least set of states

that

where exactly the states

??? such

?????

?

?

?holds, where

?

?

?is the Kripke structure

? are labelled with the variable

?.

Proceedings of the First ACM and IEEE International Conference on Formal Methods and

Models for Co-Design (MEMOCODE’03) ISBN 0-7695-1923-7/03 $17.00 © 2003 IEEE

Authorized licensed use limited to: Technische Universitat Kaiserslautern. Downloaded on March 16, 2009 at 07:48 from IEEE Xplore. Restrictions apply.

Page 5

If

fixpoint [14]. We can also define some further macro oper-

ators like

? is a monotonic function of

?, then

???? is its least

??

?

?????

??,

??

?

?????

??,

???

??

????

?

??

?,

???

??

????

?

??

?,

???

??

????

?

??

?,

???

latter can be shown to be the greatest fixpoint of

In order to apply the above definitions to Kripke struc-

tures stemming from automata according to Definition 4,

we define

ily verified to be monotone (see condition 2). The function

??

????

?

??

?, and

? ??????????????????. The

?.

?

?????????

??????????

??, which is eas-

?

ture to which a given state pertains, thereby enabling us to

switch from one substructure to the other. For simplicity,

we write just

?then toggles the variable

?

?that identifies the substruc-

? for

?

?from this point on. Further, we have:

???

?

?

?

?

??????

??? for all

? that are initially bad

???

?

?

?

?

??????

??? for all

?

?

?

???

?

?

?

?

????

?????

?? for all

?

?

?

???

?

?

?

?

??????

??? for all

?

?

?

????

?

?

?

?

??????

??? for all

?

?

?

In Section 4 we will need to refer to the Kripke structure

formed by the states

tion establishes a notation for this purpose:

???

?

?

?

?only. The following defini-

Definition 7 (Restriction of a Kripke Structure) Given a

Kripke structure

a Boolean expression

state set

????

?

?

?

??

?? over thevariables

? and

? over

?, the restriction of

? to the

?

??

?is

??

?

?????

?

?

??

?

?

??

?

?

??

?

?, where:

???

?

?????

?,

???

?

?????

??

?,

???

?

????

?

???

?

??,

???

?

?????

?

????

undefined

if

otherwise

?

???

?

For example,

carding the left substructure of

Any formula

subset of the states of

tion, which maps states from the Kripke structure back to

the originating automaton:

?

?

?

??

?means the structure obtained by dis-

?

?in Figure 3.

? over the variables

?

?also describes a

? according to the following projec-

Definition 8 (Kripke Structure State Projection) Given

an automaton

?, its associated Kripke structure

?

?and a

?-calculus formula

projection of

? over the variables

?

?, we define the

???

?

?onto the state set

? of

? as:

???

?

?

?

?

?

?

????

??????

?

?

????

??????

?

?

?

?

With this projection, we can construct an automaton from

? by restricting the state set of the original automaton

to

ton into a Kripke structure, compute a subset of states, and

translate the result back to an automaton. For example, the

?

???

?. This completes the toolset to convert an automa-

set of states of

laying in

?

?

Æ that are accessible only through states

? is given by:

?

??

?

??

?

????

?

??

?

?

?

?

??

(3)

where

states of

laying in

?

? represents the states of

Æ that are coaccessible only through states

?. Similarly, the set of

?

?

? is given by

??

??

?

?, with:

?

??

?

??

?

????

?

??

?

?

?

??

(4)

Of special interest is the alternation depth of a fixpoint ex-

pression [6, 10] or an equation system. Roughly speaking,

this is the nesting depth of alternating

whose computation depends on each other. Expressions

with a single operator have alternation depth 1 and are also

calledalternation-free. Thealternationdepthofanequation

system is the largest number of blocks of formulas seeking

for a least or greatest fixpoint in the equation system that

depend on each other to compute. The following result [13]

will be useful to assess the computationalcomplexityof our

solution1:

? and

?-operators

Theorem 1 (Complexity of

For every equation system

length

sides of the equations in the system, and every Kripke

structure

compute its solution in time

?-Calculus Model Checking)

? of alternation depth

?, whose

??

? is given by the sum of the lengths of the right

????

?

?

?

??

??, there is an algorithm to

?

?

?

??

????

?

?

???

?????

?

?

?

Corollary 1 A system of equations of constant length and

alternationdepth

to an automaton can be solved in time

? written for a Kripke structure associated

?

?

???

?

???

?

?

Proof. By construction, the Kripke structure from Defini-

tion 4 has

???????? and

???????????. For constant

??

?, the result follows immediately.

3.3Solving SCP

In this subsection, we present the solution for SCP in a

new form. Our approach differs from the existing ones

in that we replace the textual description of the algorithm

by a system of

use the Kripke structure associated to

constructed so that

is amenable to further mathematical manipulation, leading

naturally to the generalisation we propose.

?-calculus equations. For that purpose, we

?

?

??

?, with

?

?

?

?

??

?

??

?. The solution obtained

1This holds when the function

which we assume.

?

? can be computed in time

?

???,

Proceedings of the First ACM and IEEE International Conference on Formal Methods and

Models for Co-Design (MEMOCODE’03) ISBN 0-7695-1923-7/03 $17.00 © 2003 IEEE

Authorized licensed use limited to: Technische Universitat Kaiserslautern. Downloaded on March 16, 2009 at 07:48 from IEEE Xplore. Restrictions apply.

Page 6

There are two different approaches in the literature to

solve SCP, namely the original algorithm [19, 3, 18] and

the one given in [8]. The first approach compares the au-

tomata

bad and then removes them from

transitions. Next, the resulting automaton is made trim, i.e.,

accessible and coaccessible. Because removing bad states

can destroy coaccessibility and removing non-coaccessible

states can expose new bad states, the algorithm is restarted

with the trimmed automaton replacing the initial automa-

ton

search for initial bad states has to be repeated at each itera-

tion. Since this requires information from

present in our Kripke structure, this approach is not well

suited as a base for our new formulation.

On the other hand, the algorithm from [8] does not elim-

inate bad or non-coaccessible states from

iteration, but collects them and delays elimination until a

fixpoint is reached. A state is considered bad if it has an

uncontrollable transition leading to a state already classi-

fied as bad or non-coaccessible. The trimming operation

is substituted by collecting non-coaccessible states and by

taking the accessible component of the automaton obtained

after the fixpoint has been reached. The initial bad states

have to be computed only once at the beginning of the so-

lution process. This corresponds to the computation of the

set

structure associated to

solution on the latter approach.

We have derived

for the non-coaccessible states in [20]. However, the gener-

alisations we aim at now are best described in terms of the

states to be preserved, instead of those to be eliminated. We

shall therefore collect the coaccessible states (instead of the

non-coaccessible ones) into a set denoted

plement of the bad states, which we call good states, into

the set

When collecting states, it is important to choose the ap-

propriate half of the Kripke structure according to the tran-

sitions that matter in each case. For the good states, the

computation has to be carried out on the substructure iden-

tified by

ter. For the coaccessible states, all transitions are relevant,

and hence this computation has to be done on the substruc-

ture identified by

statesinthecomputationofthecoaccessiblestates andvice-

versa, we switch from one substructure to the other using

the function

by setting

sible states that are good:

?

?and

?

?

??

?to find all states that are initially

?

?

??

?along with their

?

?

??

?, until a fixpoint is reached. Therefore, the

?

?which is not

?

?

??

?at each

?

?

?

?

?

?, which is part of the construction of the Kripke

?

?

??

?, and hence we base our

?-calculus expressions for the bad and

?

?and the com-

?

?.

?

?, since only the uncontrollable transitions mat-

??

?. When it comes to consider the good

?. Hence the expression for

?

?can be derived

?

?

?

???

?

? in equation 4 to keep only coacces-

?

?

?

?

???

?

?????

?

?

?

?

?

??

(5)

An expression for

we start with an expression for the bad states and comple-

ment it later. We collect the bad states into a set denoted

?

?is difficult to obtain directly, so

?

lable transitionleadinginto a state that was alreadyfoundto

be bad or non-coaccessible. The initial value for

andthenon-coaccessiblestates aregivenby

maps them on the corresponding states on the substructure

identified by

?, adding a new state to this set when it has an uncontrol-

?

?is

?

?,

????

?

?, which

?

?. The expression for

?

?is thus:

?

?

?

?

??

?

?

?

?????

?

???

?

?

?

(6)

The expression for

tion 6 and substituting

ment brings in unwanted states identified by

plicitly restrict the result to

thecomplementmakes

the following system of equations:

?

?is obtained by complementingequa-

?

?for

??

?. Because the comple-

??

?, we ex-

?

?in equation 8. Note also that

?agreatest fixpoint. Wethenhave

?

?

?

?

?

?

???

?

?????

?

?

?

?

?

?

(7)

(8)

?

?

?

?

?

?

?

??

??

?

?

???

?

?????

?

?

Note that

the states that are coaccessible and controllable. Hence the

solution for SCP is the automaton derived from the acces-

sible states of

puted by setting

result to the states

??

?

?

?

?

??

?

?

?

?

?. Therefore,

?

?contains

?

?. The set of accessible states can be com-

?

?

?

?

?in equation 3 and restricting the

??

?:

?

??

?

???

?

?

?

?

????

?

??

?

?

?

?

??

(9)

The above discussion is a proof of the following:

Proposition 1 (Solution of SCP) The solution of SCP is

given by restricting the automaton

?

?

??

?to the states

??

??

?

?

?

??

?, with

?

??given by equation 9.

The complexity of the overall computation is given by

Corollary 1. Since the system of equations 7 and 8 has

?

?

?, we get

illustrates the computation of the fixpoints is given in [20].

We can now proceed to our main result, which allows

using other equations to describe the states to be collected,

thereby generalising the class of problems that can be

solved.

?

??

??

?

????, as expected [12, 3]. An example that

4Generalising Supervisor Synthesis

This sectiondiscusses limitations ofSCP andintroducesthe

generalised version of the problem, GSCP. Several general-

isation possibilities are presented in Subsection 4.2, and the

solution for GSCP is presented in Subsection 4.3. Again,

Corollary1enablesustoassess thecomputationalcomplex-

ity of any solution derived through generalisation.

Proceedings of the First ACM and IEEE International Conference on Formal Methods and

Models for Co-Design (MEMOCODE’03) ISBN 0-7695-1923-7/03 $17.00 © 2003 IEEE

Authorized licensed use limited to: Technische Universitat Kaiserslautern. Downloaded on March 16, 2009 at 07:48 from IEEE Xplore. Restrictions apply.

Page 7

4.1Generalised Supervisory Control Problem

The solution for SCP presented in Subsection 3.3 gener-

ates an automaton

and non-blocking, i.e., coaccessible. While controllability

is likely to be required in any synthesis result, it is not dif-

ficult to imagine problems in which coaccessibility is not

adequate to specify a desired behaviour. For example, sup-

pose the system to be controlled is a manufacturing cell de-

signed to produce a number of different parts, and that we

want to restrict its behaviour through some specification.

Suppose further that we want the resulting supervisor to al-

low the system to always be able to produce any of those

parts. The last condition is a fairness constraint that can-

not be expressed within SCP: If we model the production

of each part as a finished task using marker states and apply

the standard synthesis algorithm, then every non-empty su-

pervisor will allow the system to reach at least one marker

state. However, there is no guarantee that all marker states

can be reached, and even if they can, it is still another prob-

lem to find out if they continue to be reachable all the time.

In theory, the minimally acceptable behaviour

formulation of SCP in Definition 3 could be used to reject

an incomplete solution, but then the problem is transferred

to finding out what

determine, it could already be regardedas a solution, which

we don’t have by hypothesis.

This leads naturally to the question whether specifica-

tions like the above can be included in the synthesis pro-

cessbymodifyingtherequirementforcoaccessibility,while

controllability continues to be computed as before. The

states fulfilling the new requirement would be computed

on the same substructure used to compute the coaccessi-

ble states, and the new requirement must be fulfilled in ev-

ery state of the right side of the Kripke structure

much like the requirement in SCP that all those states are

coaccessible.

In the sequel, we bring in a series of fixpoint specifica-

tions used in formal verification. Each of them is an expres-

sion in temporal logics that can be interpreted as a require-

ment on the states of

supervisory control problem by replacing the requirement

for a non-blocking supervisor by a temporal logics condi-

tion. Our generalised problem is formulated as follows2:

?

?such that

?

?

??

?is controllable

?

???in the

?

???should be. If this were easy to

?

?

?

??

?,

?

?

?

??

?. We therefore generalise the

Definition 9 (Generalised Supervisory Control Problem)

(GSCP) Given a plant

by both a language

condition

?

?and a specification represented

??

?

?

??

?

? and a temporal logics

?, find a supervisor

?

? for

?

? such that

?

?

??

?

??

?

??? and

?

?

?

??

?

?

??

?

??

??

?.

Before presenting the solution for GSCP, we give some

examples of what the temporal logics condition

? could be.

2The symbol

?

? is read ’satisfies’

4.2Examples of Fixpoint Specifications

This subsection lists temporal logics expressions used in

the design of reactive systems. Such expressions repre-

sent states of a Kripke structure that satisfy some tempo-

ral property. For example, the expression

the states from which there is an infinite path that eventu-

ally reaches a state whose labelling satisfies the Boolean

expression

pression can be computed translating the expression into a

system of

the desired set of states. Temporal logics expressions are

thus used in formal verification to solve the model checking

problem,which consists of solving the correspondingequa-

tion system and to check whether its solution contains the

initial states of the Kripke structure.

In contrast, we shall use the solution of the equation sys-

tem to restrict the Kripke structure

satisfying the desired property, thereby synthesising a su-

pervisor as formulated in GSCP. The problems that can be

solved are not limited to the expressions presented below,

but open to any expression written according to a specific

need. The following ones are just examples to illustrate the

application of the generalised approach.

??? stands for

?. The states satisfying any temporal logics ex-

?-calculus equations (cf. [13]) whose solution is

?

?

?

??

?to the states

?

??? holds in every state of a structure that has an

infinite path that runs through states that satisfy the

property

calculus as:

?. This property can be expressed in the

?-

?

?

?

???

??

?

?

??? holds in every state of a structure that has an infi-

nite path that reaches a state that satisfies the property

?. Its

?-calculus definition is:

?

?

?

?

??

?

?

?

?????

??

?

? represents the set of states that have an infinite path,

and

a state where

? will therefore satisfy those states that can reach

??? holds.

? If

??? is not to be restricted to infinite paths, we write

??

??

??

(10)

This means that

tem above, which is reduced to:

? can be dropped in the equation sys-

?

?

?

?

??

??

?

?

???

an infinite path that reaches a state that satisfies the

property

?

?? holds in every state of a structure that has

?, and up to (but not necessarily including)

Proceedings of the First ACM and IEEE International Conference on Formal Methods and

Models for Co-Design (MEMOCODE’03) ISBN 0-7695-1923-7/03 $17.00 © 2003 IEEE

Authorized licensed use limited to: Technische Universitat Kaiserslautern. Downloaded on March 16, 2009 at 07:48 from IEEE Xplore. Restrictions apply.

Page 8

this state, will only run through states that satisfy the

property

?. Its

?-calculus definition is:

?

?

?

?

???

?

?

?

?

?

?

?

?

?

???

? represents the set of states that have an infinite path,

and

a state where

? will therefore satisfy those states that can reach

?

?

? holds, while only states satisfying

? may be traversed.

?

???

ers finite paths. Dropping the equation for

the above equation system to:

?

??

?

? is the version of

?????

? that also consid-

? reduces

?

?

?

?

?

?

?

?

???

?

??

where after some point of time

translates to:

?? holds in states that have at least one infinite path

? always holds. This

?

?

?

?

?

?

???

?

?

?

?

?

???

As in our first example,

that have an infinite path where

computes the set of states that can reach the set

possibly finite path.

? computes the set of states

? always holds.

?

? via a

? If we want to compute the set of states that can reach

a state with some property

states satisfying

equation system is appropriate:

? at least twice, while only

? maybetraversed,thenthefollowing

?

?

?

?

?

?

?

?

?

?

?

?

???

?

?

?

?

?

?

?

?

?

?

???

?

?

?

?

?

?

?

?

???

?

?

?

?

?

?

?

?

?

???

?

? Again, finite paths can be considered by dropping

?:

?

?

?

?

?

?

?

?

?

?

?

?

?

???

?

?

?

?

?

?

?

?

???

?

?

?

?

?

?

?

?

?

???

?

?

???? holds in states that have at least one path where

states satisfying

is computed as follows:

? are traversed infinitely often. This

?

?

?

?

?

?

?

?

???

?

?

?

???

? We will now extend the previous condition in that the

path should additionally only run through states satis-

fying

satisfy the property

?. Hence, we want to compute the states that

??

??

?

????:

?

?

?

?

?

?

?

?

?

?

???

?

?

?

?

?

???

? We extend the previous condition once more consid-

ering different sets of states

infinitely often. The property to be computed is

?

?that should be reached

?

?

??

?

?

?

???

???

?

?

?

(11)

which can be expressed in the

?-calculus as follows:

?

?

?

?

?

?

?

?

?

?

?

?

?

...

?

?

?

?

?

?

?

?

?

???

?

?

?

?

?

?

?

?

?

?

?

?

???

?

?

?

?

?

?

?

?

???

???

?

? Finally, we consider the property

?

?

?

?

??

???

?

?

???

?,

which is known as the acceptance condition of Rabin

automata used in [15, 16].

?

?

?

?

?

?

?

?

?

?

?

?

?

?

?

?

?

...

?

?

?

?

?

?

?

?

?

???

?

?

?

?

?

?

?

?

?

?

?

?

???

?

?

?

?

?

?

?

??

???

?

?

?

?

?

???

?

?

?

?

?

???

4.3Solving GSCP

We can nowpresent ourmain result, which consists of com-

biningthesolutionforSCP presentedinSubsection3.3with

the conditionsrepresentedby equationsystems like those in

Subsection 4.2. Our generalisation is governed by the fol-

lowing principle, which we assume to have an axiomatic

character: while coaccessibility can be exchanged by any

other condition, controllability must always be respected.

Formally, we mean that equation 7 can be replaced by

any set of equations needed to specify some desired prop-

erty, while equation 8 has to be modified so that the states

having the new property take the place of

of equations presented in Subsection 4.2 have the general

form:

?

?. The systems

?

?

?

?

?

?

?

?

?

?

?

?

?

...

?

?

??

?

?

?

?

?

??

?

?

?

???

??

Proceedings of the First ACM and IEEE International Conference on Formal Methods and

Models for Co-Design (MEMOCODE’03) ISBN 0-7695-1923-7/03 $17.00 © 2003 IEEE

Authorized licensed use limited to: Technische Universitat Kaiserslautern. Downloaded on March 16, 2009 at 07:48 from IEEE Xplore. Restrictions apply.

Page 9

Here,

ing to our argumentation in Subsection 4.1, this condition

shouldbe appliedonly to the substructureof

inally used to compute the coaccessible states. This can be

achieved by restricting the expressions for

? is the set of states satisfying condition

?. Accord-

?

?

?

??

?orig-

?

?

?????

?

?and

? to

all paths in the solution contain only good states, which im-

plies restricting the above state sets to

generalised equation system has the following pattern:

??

?. Further, looking for a supervisor requires that

???

?

?. Hence the

?

?

?

?

?

?

?

?

?

?

?

?

?

?

?

?

?

...

?

?

?

???

?

????

?

??

?

?

?

?

?

?

???

?

????

?

??

?

?

?

???

?

???

?

????

?

??

?

?

?

?

?

?

?

??

??

?

?

???

?????

?

?

As in Subsection 3.3, the accessible states from

computed by making

the result to the states

? can be

?

?

?

? in equation 3 and restricting

??

?:

?

??

?

???

?

?

?

?????

??

?

?

?

?

??

(12)

The above discussion is a proof of the following:

Proposition 2 (Solution of GSCP) The solution of GSCP

is given by restricting the automaton

?

?

??

?to the states

??

??

?

?

?

??

?, with

?

??given by equation 12.

4.4Generalisation Examples

As a first example, let us derive the solution for SCP from

the generalised problem. SCP requires that every state has

a path (no matter whether finite or infinite) leading to a

marker state. This can be expressed by the temporal log-

ics condition

and

we get:

??

??

?. Substituting

?

?

?

?in expression 10

?

?

?

?in the generalised solution pattern for GSCP

?

?

?

?

?

?

???

?

????

?

???

?

?

???

?

?

?

?

?

?

?

?

??

?

?

?

?

???

?

?????

?

?

The first equation can be simplified if we note that the com-

putationof

fixpoint) and that the states

identified by

point never yields states of

out by the conjunction with

dropped, which transforms the first of the equations above

in equation 7. The second equation is already equation 8.

As a second example, we solve the fairness problem de-

scribed in Subsection 4.1. Let the states that should re-

main reachable infinitely often be

temporal logics expression that formalises the problem is

?

?starts with the empty set (because it is a least

?

?are all on the substructure

??

?. Therefore, the computation of the fix-

?that would have to be cut

?

??

?. Hence the latter can be

?

?

??????

?. Then the

??

cording to Subsection 4.3, the generalised equation system

is:

?

?

???

???

?

?, which is expression 11 with

?

?

?. Ac-

?

?

?

?

?

?

?

?

?

?

?

?

?

?

?

?

?

...

?

?

???

?

????

?

???

?

?

?

?

???

?

?

?

?

?

?

???

?

????

?

???

?

?

?

?

???

?

?

?

?

?

?

???

?

????

?

?

?

?

???

???

?

?

?

?

?

?

?

??

??

?

?

???

?????

?

?

The supervisor can again be constructed by restricting

the automaton

computational complexity of the solution can also be eas-

ily assessed: Since the system of equations above has al-

ternation depth 2, this problem has the same computational

complexity as SCP, namely

?

?

??

?to the set of states

?

?

?

?

?

??

?. The

?

??

??

?

????.

5Conclusion

The paperpresents the Ramadge-Wonhamsupervisorycon-

trol problem in a new formulation using a system of

?-calculus equations. In addition to providing a formal de-

scription of its solution, this approach naturally separates

the representation of the two requirements of the problem,

namely controllability and coaccessibility. This allows us

to exchange the latter condition by any temporal logics ex-

pression,andtherebytoextendtheadvantagesofsupervisor

synthesis to the whole class of

problems. The computational complexity of each generali-

sation can be assessed easily from the alternation depth of

the system of equations representing the solution.

?-calculus model checking

References

[1] A. Arnold, A. Vincent, and I. Walukiewicz.

for synthesis of controllers with partial observation.

http://www.labri.fr/Perso/˜vincent/Research/publications.html,

2002.

[2] J. Burch, E. Clarke, K. McMillan, D. Dill, and L. Hwang.

Symbolic Model–Checking:

Proc. LICS, 1990.

[3] C. G. Cassandras and S. Lafortune. Introduction to Dis-

crete Event Systems. Kluwer Academic Publishers, Boston,

U.S.A., 1999. ISBN 0-7923-8609-4.

[4] E. M. Clarke, Jr, O. Grumberg, and D. A. Peled. Model

Checking. The MIT Press, London, U.K., 1999. ISBN 0-

262-03270-8.

[5] R. Cleaveland, M. Klein, and B. Steffen.

Model Checking for the Modal

G.v. Bochmann,editor,

Computer Aided Verification

(CAV’92), volume 663 of LNCS, pages 410–422, Heidel-

berg, Germany, 1992. Springer-Verlag.

[6] E. Emerson and C.-L. Lei. Efficient model checking in frag-

ments of the propositional mu-calculus. In IEEE Sympo-

sium on Logic in Computer Science (LICS), pages 267–278,

Washington, D.C., 1986. IEEE Computer Society Press.

Games

??

??States and Beyond. In

Faster

In D. P.

?-Calculus.

Proceedings of the First ACM and IEEE International Conference on Formal Methods and

Models for Co-Design (MEMOCODE’03) ISBN 0-7695-1923-7/03 $17.00 © 2003 IEEE

Authorized licensed use limited to: Technische Universitat Kaiserslautern. Downloaded on March 16, 2009 at 07:48 from IEEE Xplore. Restrictions apply.

Page 10

[7] E. A. Emerson, C. S. Jutla, and P.Sistla. On model-checking

for fragments of

Computer Aided Verification, volume 697 of LNCS, pages

385–396, Elounda, Greece, 1993. Springer Verlag.

[8] R. Kumar and V. Garg.

Modeling and Control of Logi-

cal Discrete Event Systems. Kluwer Academic Publishers,

1995. ISBN 0-7923-9538-7.

[9] J.-L. Lassez, V. Nguyen, and E. Sonenberg. Fixed point the-

orems and semantics: a folk tale. Information Processing

Letters, 14(3):112–116, May 1982.

[10] D. Niwinski. On fixed point clones. In International Collo-

quium on Automata, Languages and Programming (ICALP),

pages 464–473. L. Kott, Ed., vol 226 of LNCS, Springer-

Verlag, 1986.

[11] P. J. Ramadge and W. M. Wonham. Supervisory control of

a class of discrete event processes. SIAM J. of Control and

Optimization, 25(1):206–230, 1987.

[12] P. J. Ramadge and W. M. Wonham. The control of discrete

event systems. Proceedings of the IEEE, 77(1):81–98, 1989.

[13] K. Schneider. Verification of Reactive Systems – Algorithms

and Formal Methods. EATCS Texts. Springer, 2003.

[14] A. Tarski. A lattice-theoretical fixpoint theorem and its ap-

plications. Pacific J. Math., 5(2):285–309, 1955.

[15] J. G. Thistle and W. M. Wonham. Control of infinite behav-

ior of finite automata. SIAM J. of Control and Optimization,

32(4):1075–1097, 1994.

[16] J. G. Thistle and W. M. Wonham. Supervision of infinite

behavior of discrete–event systems. SIAM J. of Control and

Optimization, 32(4):1098–1113, 1994.

[17] Th. Wilke. Alternating Tree Automata, Parity Games, and

Modal

[18] W. M. Wonham. Notes on control of discrete-event sys-

tems. Technical report, Dept. of Electrical and Computer

Engineering, University of Toronto, Jul. 2002. Available at

http://www.control.utoronto.ca/DES.

[19] W. M. Wonham and P. Ramadge. On the supremal control-

lable sulanguange of a given language. SIAM J. Control and

Optimization, 25(3):637–659, May 1987.

[20] R. M. Ziller and K. Schneider. A

Supervisor Synthesis. In GI/ITG/GMM–Workshop Metho-

den und Beschreibungssprachen zur Modellierung und Ver-

ifikation von Schaltungen und Systemen, pages 132–143,

2003.

?-calculus. In C. Courcoubetis, editor,

?-Calculus. Bull. Soc. Math. Belg., 8(2), May 2001.

?-Calculus Approach to

Proceedings of the First ACM and IEEE International Conference on Formal Methods and

Models for Co-Design (MEMOCODE’03) ISBN 0-7695-1923-7/03 $17.00 © 2003 IEEE

Authorized licensed use limited to: Technische Universitat Kaiserslautern. Downloaded on March 16, 2009 at 07:48 from IEEE Xplore. Restrictions apply.

#### View other sources

#### Hide other sources

- Available from Klaus Schneider · May 23, 2014
- Available from Klaus Schneider · May 23, 2014
- Available from uni-kl.de
- Available from uni-kl.de