Content uploaded by Panos J. Antsaklis
Author content
All content in this area was uploaded by Panos J. Antsaklis on Aug 14, 2014
Content may be subject to copyright.
Petri Net Supervisors for DES with
Uncontrollable and Unobservable Transitions
Technical Report of the ISIS Group
at the University of Notre Dame
ISIS-99-004
http://www.nd.edu/ isis/tech.html
February, 1999
John O. Moody
Lockheed Martin Federal Systems
1801 State Rt. 17C, MD 0210
Owego, NY 13827-3998
john.moody@lmco.com
Panos J. Antsaklis
Department of Electrical Engineering
University of Notre Dame
Notre Dame, IN 46556
Panos.J.Antsaklis.1@nd.edu
Interdisciplinary Studies of Intelligent Systems
The partial financial support of the National Science Foundation (ECS95-31485) and the Army Research
Office (DAAG55-98-1-0199) is gratefully acknowledged.
Petri Net Supervisors for DES with
Uncontrollable and Unobservable Transitions
Abstract
A supervisor synthesis technique for Petri net plants with uncontrollable and unobservable
transitions that enforces the conjunction of a set of linear inequalities on the reachable markings
of the plant is presented. The approach is based on the concept of Petri net place invariants.
Each step of the procedure is illustrated through a running example involving the supervision
of a robotic assembly cell. The controller is described by an auxiliary Petri net connected to the
plant’s transitions, providing a unified Petri net model of the closed loop system. The synthesis
technique is based on the concept of admissible constraints. An inadmissible constraint can
not be directly enforced on a plant due to the uncontrollability or unobservability of certain
plant transitions. Procedures are given for identifying all admissible linear constraints for a
plant with uncontrollable and unobservable transitions, as well as methods for transforming
inadmissible constraints into admissible ones. When there are multiple transformations of this
kind, a technique is described for creating a modified Petri net controller that enforces the
union of all these control laws. It is shown how a variety of supervisory control problems
can be formulated and solved using the method proposed here. The method is practical and
computationally inexpensive in terms of size, design time, and implementation complexity.
1 Introduction
1.1 Modeling DES with Petri Nets
It is often necessary to regulate or supervise the behavior of discrete event systems (DES)
in order to meet safety or performance criteria, e.g., preventing automated guided vehicles from
colliding on a factory floor by restricting their access to certain mutually traveled zones. DES
supervisors are used to insure that the behavior of the plant does not violate a set of constraints
under a variety of operating conditions. The regulatory actions of the supervisor are based on
observations of the plant state, resulting in feedback control.
It is common to see discrete event systems modeled as finite automata [22, 28]. Methods exist
for designing controllers based on automata system models, however these methods often involve
exhaustive searches or simulations of system behavior, making them impractical for systems with
large numbers of states and transition causing events.
Modeling discrete event systems with Petri nets (PN’s) may help address some of these diffi-
culties. Petri nets [3,20, 21,24] have a simple mathematical representation employing linear matrix
algebra making them particularly useful for analysis and design. Petri net models are normally
more compact than automata based models that represent the same system behavior and are bet-
ter suited for the representation of systems with repeated structures and flows but large reachable
state spaces. Petri nets allow for the simultaneous occurrence of multiple events without suffering
from increased model complexity, as is the case with automata. In addition they have an appealing
graphical representation that makes it possible to visualize the state-flow of a system and to quickly
see dependencies of one part of a system on another.
The intuitive graphical representation and the powerful algebraic formulation of Petri nets has
lead to their use in a number of practical fields. Petri nets are used to model multiprocessor com-
puter systems, computer networks, digital communication protocols, process control plants, queuing
systems, and flexible manufacturing cells, among others. Often times the graphical representation
of a plant as a Petri net model is enough for an engineer to design a controller or supervisor for
the plant. Many control techniques exist that involve recognizing and then manipulating certain
structures that commonly appear in Petri net models. Other techniques exist for automatically
verifying the reliability of these control designs. A survey of a variety of a variety of supervisory
control procedures for Petri nets can be found in [8]. Representing the controller itself as a Petri
net makes the verification of the combined plant/controller system simpler, as well as reducing the
number of computational tools required to model the overall system. Unfortunately, even when
the controller is modeled as a Petri net, this cyclic technique of design and verification can become
quite cumbersome when the plant model is large. This leads to the desire for an efficient method
for the automatic generation of controllers based on the plant and constraint data.
1.2 Invariant Based Controllers and Linear State Constraints
A method for automatically deriving supervisory controllers for discrete event systems described
by Petri nets appears in [19, 32]. The control designer is presented with a Petri net model of a
DES and a set of linear constraints on the state space of the DES, and the control goal is to
insure that the constraints are met during the plant’s operation. The method is based on the
idea that specifications representing desired plant behaviors can be enforced by making them place
invariants of the feedback controlled system. The resulting controllers are themselves Petri nets and
are identical to the monitors [7] of Giua et al., which were derived independently using a different
methodology. This technique forms the basics of the synthesis procedure described in this paper
and is summarized in section 3.
Linear inequalities can be used to describe a large class of forbidden state problems. The basic
synthesis procedure requires that the set of allowed states be a convex region described by the
conjunction of several linear inequalities. The modified control structure of section 6 expands the
class of realizable forbidden state problems by allowing nonconvex feasible regions in the form of
disjunctions of linear state inequalities. Thus the control procedure can be applied to many common
problems seen in flexible manufacturing, process control, and communication networks, including
serial, parallel and general mutual exclusion problems [4, 7], and the modeling and allocation of
shared resources [17].
Insuring system liveness or avoiding deadlock is a common and important supervisory control
goal. The existence of liveness-insuring supervisors for Petri nets with uncontrollable transitions
has been studied by Sreenivas [26, 27]. Techniques for deadlock avoidance have been proposed by
a variety of researchers; see [1, 2, 5, 10, 11, 29] for details. These techniques involve analysis of the
siphons or other similar structures within the Petri net plant. Often the resulting controllers can
be expressed in terms of supervisors enforcing sets of linear inequalities on the reachable plant
states. Combining these techniques with the supervision approach of this paper can then be used
to prevent deadlock or insure liveness for plants with uncontrollable and unobservable transitions.
Some supervisory control specifications may seem outside the scope of the technique presented in
2
this paper because they are not normally expressed as linear inequalities or because they deal with
events or time, rather than particular states. However many of these problems can be expressed as
constraints on the state and enforced using the invariant based controllers of this paper. Established
and systematic techniques exist for transforming a class of logical predicates on plant behavior into
linear state inequalities [31]. Conditions involving the occurrence of events and particular regions of
the state space or conditions involving the concurrence of individual events can also be expressed as
state-based inequalities [15,32]. The addition of “clock” and “timer” structures to timed Petri nets
provides an interface between continuous time and the event driven world of supervisory control.
This allows for the synthesis of controllers for timed Petri nets with control specifications involving
real time [15, 16].
A major goal in the field of discrete event system control is the synthesis of supervisors under
conditions where certain state to state transitions can not be prevented by any action from the
supervisor, i.e., conditions under which certain transitions are uncontrollable. The problem is then
to design a controller that prevents states from occurring that violate the behavioral constraints
directly or that might lead to a violation of the constraints through the action of uncontrollable
transitions.
Li and Wonham [13] have made important contributions regarding the enforcement of linear
constraints on Petri net plants with uncontrollable transitions. These authors show that optimal, or
maximally permissive, control actions that account for uncontrollable transitions can be found by
repeated applications of an integer linear programming problem (ILP), assuming that valid control
actions actually exist and that the uncontrollable portion of the net contains no loops. They
also give sufficient conditions under which the solution to the ILP has a closed form expression.
In these cases, the control law can be enforced by a feedback Petri net supervisor of the type
described in section 3 or 6 of this paper. The computation of the control law, described in sections
4 and 5 presented here involves only matrix algebra and is more desirable, computationally, than
analytically solving an ILP. The tree structure assumed by Li and Wonham is only sufficient, not
necessary, for example, the structure of the uncontrollable part of the plant in section 6.2 does not
have a “tree structure,” in fact it contains a loop, however a maximally permissive supervisor was
found and implemented using a modified Petri net of the kind described in section 6.
The concept of uncontrollability is associated with the dual concept of unobservability. It is
possible that a DES plant might contain certain state to state transitions that can not be detected
by the supervisor. The mathematical representation of these unobservable events is analogous to
uncontrollable transitions. Both uncontrollable and unobservable transitions are covered by the
design procedures of this paper.
1.3 Summary of Contents
Following the review of the algebraic model of Petri nets in section 2, a brief summary of the
basic synthesis procedure of [32] appears in section 3. The primary contribution of this paper is
the extension of these results to the synthesis of PN supervisors for plants with uncontrollable
and unobservable transitions. One possible approach to this problem is to construct a supervisor
that searches through the uncontrollably reachable markings of the plant at every iteration of
the plant’s evolution. This potentially expensive search is avoided here through the concept of
3
admissible constraints, introduced in section 4. A constraint is called admissible when, among the
states that satisfy the constraint, none could lead (uncontrollably) to a state that does violate
the constraint. Admissible constraints may be simply and directly enforced on a plant without
requiring that the supervisor search through uncontrollably reachable markings. Computational
techniques for generating admissible constraint transformations are presented in the appendix, and
supervisors for enforcing admissible constraints can be synthesized using the technique of section
3.
Section 5 shows how to characterize all admissible linear constraints for a given Petri net.
When a constraint is found to be inadmissible, this characterization can be used to find the set of
all admissible constraints that have feasible regions that lie within the feasible region of the original
constraint. Section 6 shows how to construct a supervisor that will enforce the logical union of all
these admissible constraints (a disjunction of linear inequalities), thus providing for a high degree
of plant freedom while accounting for uncontrollable and unobservable transitions.
Section 7 shows how a variety of supervisory control problems can be formulated and solved
using the proposed method. These problems include the modeling of finite resources, constraints on
allowed events (as opposed to states), constraints expressed as logical predicates on plant behavior,
and real time constraints for timed Petri nets.
Concluding remarks are given in section 8.
2 Petri Net Fundamentals
A Petri net is a directed bipartite graph. The structure of a Petri net is described by (P, T , D+,D
−)
where Pand Tare disjoint sets representing the vertices of the graph, known as places and transi-
tions,andD+and D−are integer matrices with nonnegative elements representing the flow relation
between the two vertex types.
Places in a Petri net hold tokens, the distribution of which indicates the net’s state or its
marking. Transitions direct the flow of tokens between places, thus the firing of a transition is
a state changing event in a DES model. A Petri net’s incidence matrix represents the weighted
connections of directed arcs between its places and transitions. It is composed of two matrices, D−,
representing arcs from places to transitions, and D+, representing arcs from transitions to places.
D=D+−D−(D+,D
−≥0)
The incidence matrix is used to construct a difference equation that describes the evolution of
the net’s state.
µ(k+1) = µ(k)+Dq(k)
µ(0) = µ0
(1)
where
µ∈ZZn,q∈ZZm,µ,q≥0(2)
where ZZ is the set of integers, µis the net’s state or marking vector,qis the input or firing vector,
and D∈ZZn×m. The notation µ, q ≥0 indicates that every element of the marking and firing
4
vectors is nonnegative at all times. This element-by-element interpretation of inequalities will be
used throughout this paper whenever vectors or matrices appear on either side of the inequality
symbol.
The nonnegativity conditions in (2) lead to the Petri net transition enabling rule. Afiring
vector qis feasible (represents a valid set of transition firings) if q≥0and
D−q≤µ(3)
where the iteration counter khas been dropped for convenience. If the Petri net’s transitions contain
no self loops, i.e., the positions of the nonzero elements in D+and D−are mutually exclusive, then
the transition enabling rule can be written
µ+Dq ≥0(4)
Care must be taken when using (3) or (4) when qindicates the concurrent firing of multiple
transitions. There are a variety of different techniques for handling concurrency. Concurrency may
not be allowed at all, in which case qwould be a zero vector with a single element equal to one.
Concurrency may be allowed only when each of the indicated transition firings could occur one
after the other in any order. In this case qmust satisfy (3), or each transition firing indicated in q
must independently satisfy (4) as well as the complete qvector. If (4) is used without this check
for independently enabled transitions, then certain concurrent firings may be allowed even though
some or all of the individual transitions indicated in the firing could not fire by themselves. The
choice of which of these methods to use is dictated by the modeling requirements and the particular
plant.
Petri net place invariants are fundamental to the supervisor synthesis technique described in
the following section. A place invariant is an integer vector xthat satisfies
∀reachable µ, xTµ=xTµ0
Thus xTµis a constant for all reachable states if xis a place invariant. Place invariants can be
computed by finding solutions to the equation
xTD=0
3 Invariant Based Control Synthesis
3.1 Description of Method
The system in need of supervision, the plant net, is modeled by a Petri net with nplaces and
mtransitions. The plant’s incidence matrix is Dp∈ZZn×m.Thecontroller net is a Petri net with
incidence matrix Dc∈ZZnc×mmade up of the plant’s transitions and a separate set of places. The
controlled system or control led net is the Petri net with incidence matrix D∈ZZ(n+nc)×mmade up
of both the original plant and the added controller. The control goal is to force the plant to obey
constraintsoftheform
Lµp≤b(5)
5
where µp∈ZZn,µ
p≥0 is the marking vector of the plant, L∈ZZnc×n,andb∈ZZnc. The inequality
is with respect to the individual elements of the two vectors Lµpand band can be thought of as
the logical conjunction of ncseparate linear inequalities.
Inequality (5) can be transformed into an equality by introducing an external Petri net controller
that contains places that represent nonnegative “slack variables.” The constraint then becomes
Lµp+µc=b(6)
where µc∈ZZnc,µ
c≥0 is the marking of the controller. Note that µc≥0 because the number of
tokens in a PN place can not become negative; thus equation (6) implies inequality (5). The closed
loop system has the following Petri net structure.
D="Dp
Dc#µ0="µp0
µc0#(7)
The controller is computed by observing that the introduction of slack variables forces a set
of place invariants on the overall controlled system defined by equation (6). The results in the
propositions below have been introduced and discussed in [15, 18, 19, 32]
Theorem 1. Invariant based controller synthesis. If
b−Lµp0≥0(8)
then a Petri net controller, Dc∈ZZnc×mwith initial marking µc0∈ZZnc
Dc=−LDp(9)
µc0=b−Lµp0(10)
enforces constraint (5) when included in the closed loop system (7), assuming that the plant’s
transitions are controllable and observable.
If inequality (8) is not true, then the constraints can not be enforced by any controller since
the initial conditions of the plant lie outside the range allowed by the constraints.
Proof. If inequality (8) is not true, then obviously Lµp06≤b, and there is at least one row of
L,li, such that lT
iµp0>b
iand the initial conditions of the plant violate the constraint. If the
inequality is true, then equation (10) shows that the initial conditions of the controller are defined
as a vector representing the slack in each of the constraints represented by Lµp≤b.
Equation (9) forces equation (6) to be place invariants of the closed loop system (see [18,19,32]),
thus inequality (5) will be true for all reachable markings of the closed loop system.
Proposition 2. Invariant based controllers are maximally permissive. Given a plant
and a set of enforceable constraints (5), a controller constructed according to the rules of Theorem
1 only acts to disable transitions when the firing indicated by the given qvector leads to a state
forbidden by (5).
6
Proof. According to the rules of PN evolution, the controller will only disable transitions when
the firing indicated by qwould cause the marking of at least one of its places to become negative.
Since (6) represents a set of invariants in the closed loop system, any negative element in µcindicates
a violation of (5), and all states allowed by (5) correspond to nonnegative values in µc.
It has also been shown in [32] that the controller only induces place invariants in the closed
loop system that are specifically described by equation (6). All place invariants of the closed loop
system are accounted for by those originally present in the plant and those specifically required to
enforce the constraints.
p1
t4
p2 p3 p4
p5
p6
p7
t2
t3 t9
t5
t6
t7 t8
t1
p8
c1
c2
c3
Figure 1: The piston rod robotic assembly cell with its initial controller.
3.2 Example – The Piston Rod Robotic Assembly Cell
The piston rod assembly cell applicationis partially based on a similar plant described in chapter
8 of [4]. The Petri net model of the plant is shown in Figure 1, and Table 1 details the meaning
of each place in the net. The number of tokens in each place signifies the number of resources or
robots engaged in the activities described in Table 1. The assembly of each part requires work by
two different robots. An S-380 robot is used to prepare and align the parts for assembly, and an
M-1 robot installs the cap on the piston rod. Places c1,c
2and c3in Figure 1 are the components
of a supervisory controller, the design of which is covered here.
p1Engine block and crank shaft are ready to be processed.
p2S-380 robot aligns the crank shaft.
p3S-380 robot picks up new piston rod and positions it in work space.
p4Engine block prepared and ready for work by M-1 robot.
p5M-1 robot picks up a piston pulling tool.
p6M-1 robot pulls the piston rod into the engine block, returns pulling tool.
p7M-1 robot positions a cap on the piston rod.
p8M-1 robot bolts the cap to the piston rod.
Table 1 : Place descriptions for Figure 1.
There are three S-380 and three M-1 robots available in the assembly cell. There are two piston
pulling tools. These resource constraints are translated into linear inequalities on the state space
7
of the plant:
µ2+µ3≤3 (three S-380 robots) (11)
µ5+µ6+µ7+µ8≤3 (three M-1 robots) (12)
µ5+µ6≤2 (two piston pulling tools) (13)
Each inequality is enforced by a separate controller place. The connections of these three places,
c1,c
2,andc3, to the plant and their initial markings are calculated using Theorem 1, resulting in
the maximally permissive supervisor shown in Figure 1.
Dc=−
01100000
00001111
00001100
|{z }
L
1−10000000
01−1000000
00 1−100000
00 0 10−1000
00 0 01−1000
00 0 00 1−100
00 0 00 0 1−10
00000001−1
|{z }
Dp
=
0−101 00000
0000−10001
0000−10100
µc0=
3
3
2
|{z }
b
−Lµp0=
3
3
2
4 Admissible Constraints and Controls
4.1 Uncontrollable and Unobservable Transitions
A transition is called uncontrollable if the firing of that transition may not be inhibited by an
external action. The freedom of an uncontrollable transition to fire is limited solely by the structure
and state of the plant.
In order for a Petri net controller to inhibit a transition, it must contain an arc from a controller
place to the transition. The transition will be disabled if the number of tokens in the control place
is less than the arc weight.
A transition is called unobservable if the firings of that transition can not be directly detected
or measured. Since the firing of an unobservable transition can not be detected, a controller state
change can not be triggered by such a firing.
For a Petri net based controller, both input and output arcs to the plant transitions are used
to trigger state changes in the controller. A Petri net controller can not have any connections to
8
an unobservable transition, thus all unobservable transitions are also implicitly uncontrollable, of
course an uncontrollable transition may or may not be unobservable. One can imagine a situation
where the occurrence of some event in a plant could be blocked without the controller ever receiving
any feedback relating directly to that event, but, in practical situations, the ability to inhibit an
event is usually coupled with the ability to detect occurrences of that event. For this reason, this
limitation on Petri net based controllers is not too severe.
4.2 Constraint Transformations
Given a set of constraints, Lµp≤b, a supervisor must work to insure that the constraints are
never violated directly and may never be violated through the firing of uncontrollable transitions or
through incomplete knowledge due to unobservable transitions. In order to avoid expensive online
searches by the supervisor through the uncontrollably reachable markings of the plant, the approach
taken here is to actually modify the constraints themselves such that the new constraints account
for uncontrollability and unobservability. The following definitions are useful in understanding the
motivation for the transformation of constraints. The definitions are with respect to a plant with
possible uncontrollable or unobservable transitions and constraints on the marking behavior of the
plant in the form Lµp≤b. Unobservable transitions are also assumed to be uncontrollable.
Definition 3. An admissible marking µpis a marking such that
1. Lµp≤b,and
2. For all markings µ0
preachable from µpthrough the firing of uncontrollable transitions, Lµ0
p≤b.
If either of these conditions is not met, then the marking is inadmissible.
Definition 4. Givenaplantwithinitialmarkingµp(0) = µp0,anadmissible constraint
satisfies two conditions:
1. Lµp0≤b,and
2. For all µp(N) reachable from µp(0) through any path of consecutively reachable markings,
µp(0) →µp(1) →···→ µp(N), where
Lµp(i)≤b, for1 ≤i≤N,
µp(N) is an admissible marking.
If a constraint does not satisfy both of these conditions, then it is inadmissible.
If a constraint is admissible, then condition 2 of Definition 4 indicates that the firing of un-
controllable transitions can never lead from a state that satisfies the constraint to a new state
9
that violates that constraint. Note that the admissibility of a particular marking does not imply
that the marking is actually reachable, either due to the initial marking of the plant or due to the
restrictions of a supervisor.
An admissible constraint will only allow admissible markings, however there may exist admis-
sible markings that could be reached by the uncontrolled plant that can not be reached under
maximally permissive supervision. Definition 4 incorporates this by checking the admissibility of
markings that were achieved by following paths in which all intermediate markings satisfy the
constraint. This set of reachable, admissible markings is similar to the set Re(G, P )definedin[12].
t2t1
p1
t3
t4
p3p2
Figure 2: Transitions 2 and 3 are uncontrollable.
Example. The Petri net of Figure 2 contains two uncontrollable transitions: t2and t3.Tokens
in places p2and p3can not be prevented from freely traveling between these two places. However
t1can be used to stop the introduction of new tokens into p2and p3,andt4canbeusedtoprevent
tokens from leaving.
The constraint
µ3≤1 (14)
is inadmissible. The initial state of the plant µ0=h121
iTsatisfies the constraint, but the
uncontrollable firing of t3wouldleadtothestateµ=h112
iT, which violates (14). The
constraint fails condition 2 of Definition 4.
The constraint
µ1≤1 (15)
is admissible. The current state of the plant satisfies the constraint, and for any state that satisfies
the constraint, there is no firing of uncontrollable transitions that would lead to a state that does
not satisfy it. The marking of p1is affected only by the firings of transitions t1and t4,bothof
which are controllable.
If Lµp≤bis inadmissible, then it is desirable to find another constraint L0µp≤b0such that
L0µp≤b0is an admissible constraint, and for all µpsuch that L0µp≤b0,Lµp≤bis also true. In
the example above, we could replace constraint (14) with
µ2+µ3≤1 (16)
10
This constraint is admissible according to Definition 4, and all reachable states that satisfy (16)
also satisfy (14). Thus constraint (14) could be enforced by designing a controller for constraint
(16) using the technique of section 3. Unfortunately a controller designed this way may not be
maximally permissive. The method of handling uncontrollable/unobservable transitions in section
5 of this paper follows along these lines, but it also includes the idea of finding all constraints
L0µp≤b0that meet the criteria above. Section 6 then shows how to construct a controller that
enforces the disjunction of these inequalities allowing for a high degree of plant freedom.
4.3 Petri Net Modeled Supervisors
The supervisors used in this paper are modeled by Petri nets. Uncontrollable and unobservable
transitions can cause problems for PN based supervisors due to limitations in their modeling power,
however Petri net supervisors are still useful for several reasons. Unified plant/controller models
are elegant, facilitating implementation and closed loop system analysis. The evolution of Petri net
models is inexpensive to compute, facilitating their use in real time control applications. Desirable
Petri net qualities, such as automatic handling of concurrent events, are maintained with unified
plant/controller PN models. Though the decision power of a Petri net supervisor is not unlimited,
a good variety of DES control problems can be effectively and efficiently solved through their use.
Recognizing the controller as a Petri net facilitates understanding of what can and can not be done
with the supervisor. This will become evident in the material below.
For an invariant based Petri net supervisor to be realizable on a plant with uncontrollable and
unobservable transitions, the constraint it is enforcing must be admissible. Proposition 5 provides
necessary and sufficient conditions for any behavioral constraint to be admissible. Definitions 3
and 4 are written specifically for linear state-based constraints, however, they can be thought of in
terms of general behavioral constraints. That is, Definition 3 requires that a particular marking and
all behaviors achieved through the firing of uncontrollable transitions from that marking conform
to the constraint. Definition 4 requires that the initial condition of a plant satisfy the constraint,
and that all markings visited through any behavior that conforms to the constraint are admissible
markings.
The behavior of a maximally permissive supervisor is analyzed in Proposition 5. Here the
term maximally permissive is used in the sense of section 3, where all transitions are assumed to
be controllable. In this case, a maximally permissive controller only prevents firings that lead to
states that directly violate the given constraint.
Proposition 5. General constraint admissibility. A constraint on the marking and/or firing
behavior of a Petri net is admissible iff
1. The initial conditions of the plant satisfy the constraint, and
2. There exists a maximally permissive controller (constructed under the assumption that all
transitions are controllable) that enforces the constraint and does not inhibit any uncontrol-
lable transitions that would otherwise be enabled.
11
Proof. Clearly, if the initial conditions of a plant violate a constraint, then that constraint can
not be enforced and is inadmissible according to condition 1 of Definition 4. Furthermore, if the
constraint is admissible, then a maximally permissive controller would have no need to attempt to
disable otherwise enabled uncontrollable transitions, as per Definition 4.
A maximally permissive controller will only allow reachable states or behaviors that do not
violate the constraint. Thus, if a maximally permissive controller never attempts to inhibit an oth-
erwise enabled uncontrollable transition, then the constraint it is enforcing is admissible according
to Definition 4.
Corollary 6. Place-constraint admissibility. The single vector constraint lTµp≤bis ad-
missible iff the controller with incidence matrix Dc=−lTDpand initial marking µc0=b−lTµp0≥0
will never attempt to disable an uncontrollable transition that would otherwise be enabled.
Proof. If µc06≥ 0, then the initial conditions of the plant violate the constraint, and that con-
straint can not be enforced and is inadmissible according to condition 1 of Definition 4. Invariant
based controllers are maximally permissive according to Proposition 2; if the constraint is admissi-
ble, then this maximally permissive controller would have no need to attempt to disable otherwise
enabled uncontrollable transitions, as per Definition 4.
Invariant based controllers only allow reachable states that do not violate the constraint by
inhibiting the firing of any transition that would directly lead to a marking that violates the
constraint. Thus, if it never attempts to inhibit an otherwise enabled uncontrollable transition,
then the constraint it is enforcing is admissible according to Definition 4.
Remark. Corollary 6 deals with individual inequality constraints rather than the vector inequal-
ity Lµp≤bbecause each of the inequalities in Lµp≤bcan be handled independently. Certain
constraints in Lµp≤bmay be admissible, while others may not.
Equations (9) and (10) from Theorem 1 show that it is possible to construct the incidence
matrix Dcof a maximally permissive Petri net controller as a linear combination of the rows of
the incidence matrix of the plant. Negative elements in Dccorrespond to arcs from controller
places to plant transitions. These arcs act to inhibit plant transitions when the corresponding
controller places are empty, and thus they can only be applied to plant transitions that permit such
external control. If we group all of the columns of Dpthat correspond to transitions that can not
be controlled into the matrix Duc, we obtain the following corollary.
Corollary 7. lTDuc ≤0implies admissibility. Given a plant with uncontrollable transitions
described by the incidence matrix Duc and a constraint lTµp≤b,if
lTDuc ≤0 (17)
then the constraint is admissible for the given plant.
12
Proof. The proof follows from Corollary 6 and the construction of the Petri net controller
whose incidence matrix is Dc=−lTDpas described in section 4.1. Inequality (17) insures that the
controller draws no arcs to uncontrollable transitions.
Example. Corollary 7 can be used to verify the results from the example in section 4.2. Since
transitions t2and t3are uncontrollable in the Petri net of Figure 2, Duc is composed of the second
and third columns of the plant incidence matrix.
Dp=
−1
1
0
00
1−1
−11
|{z }
Duc
1
0
−1
Constraint (14) fails to meet condition (17) of the corollary.
h001
iDuc =h−11
i
Constraints (15) and (16) both meet condition (17) and are both admissible.
h100
iDuc =h00
i
h011
iDuc =h00
i
Remark. Corollary 7 provides only a sufficient condition for constraint admissibility. There
exist situations for which lTDuc 6≤ 0, but lTµp≤bis still an admissible constraint (see [15, 16]).
However, for most practical examples, constraints that fail condition (17) are inadmissible and will
need to be transformed if they are to be enforced.
As discussed in section 4.1, it is illegal for the controller to change its state based on the firing
of an unobservable transition, because there is no direct way for the controller to be told that such
a transition has fired. Both input and output arcs from the controller places are used to change the
controller state based on the firings of plant transitions. Let the matrix Duo represent the incidence
matrix of the unobservable portion of the Petri net. This matrix is composed of the columns of Dp
that correspond to unobservable transitions, just as Duc is composed of the uncontrollable columns
of Dp.
Corollary 8. lTDuo =0implies admissibility. Given a plant with unobservable transitions
described by the incidence matrix Duo and a constraint lTµp≤b,if
lTDuo = 0 (18)
then the constraint is admissible.
13
Proof. As with Corollary 7, the proof follows from Corollary 6 and the construction of the Petri
net controller whose incidence matrix is Dc=−lTDpas described in section 4.1. Equation (18)
insures that the controller draws no arcs to or from unobservable transitions.
Remark. Corollaries 7 and 8 indicate that it is possible to observe a transition that we can not
inhibit, but it is illegal to directly inhibit a transition that we can not observe.
Suppose, given a set of constraints Lµp≤b, we construct the matrices LDuc and LDuo and
observe that there are violations to conditions (17) and/or (18). What other constraints, of the
form L0µp≤b0, will also maintain the original constraint Lµp≤b?
Lemma 9. Constraint transformation structure.
Let R1∈ZZnc×nsatisfy R1µp≥0∀µp.(19)
Let R2∈ZZnc×ncpositive definite diagonal matrix (20)
If L0µp≤b0where
L0=R1+R2L(21)
b0=R2(b+1)−1(22)
and 1is an ncdimensional vector of 1’s, then Lµp≤b.
Proof. The transformed constraint is (R1+R2L)µp≤R2(b+1)−1. Because all of the elements
are integers, the inequality can be transformed into a strict inequality:
(R1+R2L)µp<R
2(b+1)
Because R2is diagonal and positive definite,
R−1
2R1µp+Lµp<b+1
Assumptions (19) and (20) imply that all elements of the vector R−1
2R1µp≥0, therefore Lµp≤b.
Lemma9showsaclassofconstraints,L0µp≤b0, which, if enforced, will imply that Lµp≤bis
also enforced. The following lemma is used to show the conditions under which a particular set of
constraints can be enforced on a particular Petri net.
Lemma 10. Initial condition check for transformed constraints. The constraint L0µp≤
b0,whereL06=0andb0are defined by (21) and (22), can be enforced on a Petri net with initial
marking µp0iff
0≤R1µp0≤R2(b+1−Lµp0)−1(23)
14
Proof. Substituting L0and b0into (23) gives 0 ≤b0−L0µp0, which is equivalent to the condition
L0µp0≤b0that states that the initial conditions of the plant must fall within the acceptable region
of the constraints. Clearly, if a controller does exist, then the initial conditions of the plant must
not violate the constraints. Furthermore, as shown in section 3, if the initial conditions lie within
the acceptable region of the plant (inequality (8)), a controller to enforce the conditions can be
computed with incidence matrix Dc=−L0Dpand initial marking µc0=b0−L0µp0.
Theorem 11 combines Corollaries 7 and 8 with the conditions for creating a valid set of trans-
formed constraints in lemmas 9 and 10 to show how to construct a Petri net controller.
Theorem 11. Constraint transformation and supervisor synthesis. Let a plant Petri
net with incidence matrix Dpbe given with a set of uncontrollable transitions described by Duc
and a set of unobservable transitions described by Duo. A set of linear constraints on the net
marking, Lµp≤b, are to be imposed. Assume R1and R2meet (19) and (20) with R1+R2L6=0
and let
hR1R2i"Duc Duo −Duo µp0
LDuc LDuo −LDuo Lµp0−b−1#≤h000−1i(24)
Then the controller
Dc=−(R1+R2L)Dp=−L0Dp(25)
µc0=R2(b+1)−1−(R1+R2L)µp0=b0−L0µp0(26)
exists and causes all subsequent markings of the closed loop system (7) to satisfy the constraint
Lµp≤bwithout attempting to inhibit uncontrollable transitions and without detecting unobserv-
able transitions.
Proof. According to (9) and (10), equations (25) and (26) define a controller that enforces the
constraint L0µp≤b0. Lemma 9 shows that if assumptions (19) and (20) are met then a controller
that enforces a particular constraint L0µp≤b0will also enforce the constraint Lµp≤b. The fourth
column of inequality (24) indicates that the condition in lemma 10 is satisfied, thus the controller
exists and the control law can be enforced. The first column of (24) indicates that L0Duc ≤0, thus
condition (17) is satisfied and no controller arcs are drawn to the uncontrollable transitions. The
second and third columns of (24) indicate that L0Duo = 0, thus condition (18) is satisfied and no
arcs are drawn between the controller places and the unobservable plant transitions.
Remark. hR1R2i, which is used to describe the constraint transformation, is a left multiplier
in (24), thus this matrix represents the use of rows from Duc to eliminate positive elements from
LDuc, and the use of rows from Duo to zero the elements of LDuo.
The usefulness of Theorem 11 for specifying controllers to handle plants with uncontrollable
and unobservable transitions lies in the ease in which the matrices R1and R2can be generated.
Two computational techniques for computing these matrices can be found in the appendix. The
first technique is an integer program that searches through feasible solutions satisfying (17) and
15
(18) along directions dictated by (23). The second technique finds appropriate transformations
through the use of constrained integer row operations. Full details of each algorithm are included
in the appendix.
4.4 Example – Uncontrollable and Unobservable Transitions in the Assembly Cell
Uncontrollable and unobservable transitions are introduced into the robotic assembly cell ex-
ample from section 3.2. The operation of the M-1 robots is now considered to be governed by a
separate, independent controller. Transitions t6,t
7,andt8can neither be observed nor inhibited
by the resource supervisor of section 3.2.
The uncontrollable and unobservable portion of the plant is described by the matrix Duo,which
is composed of the sixth through eighth columns of Dp. Of the three constraints, (11), (12), and
(13), only (13) fails the test of Corollary 8, since
h00001100
iDuo =h0−10
i(27)
If the plant transitions were merely uncontrollable and not unobservable as well, then the constraint
would be admissible according to Corollary 7, but Corollary 8 indicates that lTDuo =0isthe
sufficient condition for admissibility with unobservable transitions.
The right hand side of (27) can be zeroed by adding to it the seventh and eighth rows of Duc.
In terms of Theorem 11, this corresponds to a constraint transformation using
R1=h00000011
iR2=1
The transformed constraint,
µ5+µ6+µ7+µ8≤2 (28)
is admissible and represents the maximally permissive admissible control law for enforcing (12).
The new configuration for c3is shown in Figure 3. Note that places c2and c3now have the exact
same connections to the plant. It would be possible to eliminate c2, since its action is now implied
by c3, but instead, both places will be maintained in order to account for dynamic changes in the
number of available resources or sensors (see [16, 17]).
p1
t4
p2 p3 p4
p5
p6
p7
t2
t3 t9
t5
t6
t7 t8
t1
p8
c1 c2
c3
Figure 3: The modified assembly cell and supervisor after the introductions of uncontrollable and
unobservable transitions.
16
5 Structure of Admissible Constraints and Controls
Given a plant with uncontrollable/unobservable transitions, it is useful to seek methods for
transforming inadmissible constraints into admissible ones, but it is also logical to ask, in general,
what are the admissible constraints for this plant? Is there a way to characterize all or most of these
constraints? Section 5.1 provides a method for just such a characterization. Section 5.2 shows how
this characterization may be used to synthesize controllers for plants with unobservable transitions,
and section 5.3 covers the synthesis problem for plants with uncontrollable transitions.
5.1 Characterization of Admissible Constraints
As in the previous sections, let the matrix Duo represent the incidence matrix of the unobservable
portion of the Petri net. It is illegal for the controller Dc=−LDpto contain any arcs in the
unobservable portion of the net, thus an admissible set of constraints will satisfy
LDuo = 0 (29)
as indicated in Corollary 8.
Any Lthat satisfies (29) will lie within the kernel of Duo.LetXsatisfy
XDuo = 0 (30)
where X∈ZZ(n−rank Duo )×n. The rows of Xform a linearly independent basis for the kernel of Duo
(Xis full rank). The process of finding Xis equivalent to finding the place invariants (an algorithm
appears in [14]) of the unobservable portion of the plant Petri net. All realizable constraints must
lie within the basis described by the rows of X, and thus can be formed as linear combinations
of these rows. Every admissible constraint can be described by kTXwhere k∈ZZ(n−rank Duo).In
general, the coefficient matrix of any set of admissible constraints L0∈ZZnc×ncan be written
L0=KX (31)
where K∈ZZnc×(n−rank Duo).
A characterization of all admissible constraints is not quite as transparent for the case of un-
controllable transitions as it is for unobservable ones. For unobservable transitions we have an
equality, LDuo = 0, which must be satisfied, but for uncontrollable transitions it is an inequality,
LDuc ≤0, so we can not simply find the kernel of Duc. In this case, the following equality can be
formed
LDuc +∆=0
where ∆ is a matrix of nonnegative slack variables. The previous equation is rewritten
hL∆i"Duc
I#=0
AkernelX,solving
X"Duc
I#=0
17
can then be used to construct a basis for all admissible linear constraints that may be placed
on the plant. Xmust be computed so as to insure that the elements that correspond to ∆ are
nonnegative. Each element of the kernel will have n+nuc scalar components, where nuc is the
number of uncontrollable transitions. The final nuc elements of each kernel vector correspond to
the slack variables in ∆. Additional row operations may need to be performed on Xto insure that
the final nuc elements in each vector are nonnegative. After insuring that none of the slack variables
are negative, all admissible constraint matrices Lcan be found in the the linear combinations of
Xthat leave nonnegative values in the final nuc slack columns. The first ncomponents of a given
kernel vector represent an admissible value for a row of L, as long as the final nuc components of
the kernel vector are nonnegative.
5.2 Constraint Transformations for Unobservability
Suppose we have a set of constraints Lµ ≤bsuch that LDuo 6= 0. It is necessary to create new
constraint matrices (L0,b
0) with two properties.
1. L0Duo =0
2. ∀µp,L
0µp≤b0→Lµp≤b
Property 1 is necessary to insure that the new controller will not utilize the unobservable transitions,
while property 2 indicates that the new constraints must be at least as restrictive as the original
ones. Lemma 9 from section 4.3 is used to deal with this condition.
To perform the transformation, it is necessary to determine values for the matrices R1and R2
defined in lemma 9 that meet assumptions (19) and (20). It is possible for a designer to determine
the values of R1and R2by using the kernel of Duo. Combining equations (21) and (31) we see that
L0=KX =R1+R2L
The designer should premultiply each constraint in Lby some positive integer (which will determine
the diagonal elements in R2) and add new positive coefficients (which will determine R1) such that
the new constraint is a linear combination of the rows of X. This process will yield the L0matrix,
and b0can be calculated using R2and equation (22).
When multiple distinct transformations exist, the technique of section 6 can be used to enforce
the disjunction of all these inequalities.
5.3 Constraint Transformations for Uncontrollability
The invariant based control method yields maximally permissive supervisors for enforcing linear
constraintsoftheformLµp≤b. When these constraints are transformed, because of the uncon-
trollability and unobservability of certain transitions, into L0µp≤b0, the invariant based control
method will still yield a maximally permissive realization of the transformed constraint. Unfor-
tunately, the new constraint itself may not represent the most permissive admissible control law
18
corresponding to the original constraint. The maximally permissive admissible constraint associ-
ated with a linear predicate on the plant’s marking may be a nonlinear predicate that can not be
optimally controlled by a standard invariant based controller.
At this time, a complete description of the conditions under which an optimal transformation
of linear constraints is another set of linear constraints is unknown. Li and Wonham [13] have
shown that when the uncontrollable portion of the plant has a “type 1 tree structure,” the optimal
transformation will be a disjunction of linear predicates1, while a “type 2” structure will yield a
linear transformation. However these conditions are only sufficient, not necessary.
Given an inadmissible constraint lTµp≤b, a permissive control law for the enforcement of this
constraint can be synthesized using the following steps.
1. Find all inequalities l0Tµp≤b0that are
(a) Valid transformations of lTµ≤baccordingtoLemma9and
(b) Admissible constraints according to the theory developed in section 5.1.
There may be an infinite number of inequalities that meet these two requirements, but they
may be expressed with a finite number of inequalities since linearly dependent constraints
do not represent different restrictions on the behavior of the plant. Detailed instructions for
carrying out this step can be found in [16].
2. Construct the controller incidence matrices associated with these constraints using Dc=
−l0TDp.
3. Enforce the union of the individual control laws by following the procedure of section 6.
The procedure above is similar to the idea of the supremal controllable sublanguage [22, 28]
from the supervisory control literature. In both cases, all of the valid behaviors of the plant
are characterized based on the plant’s structure and the desired constrained behavior, and the
supervisor is then used to insure that the behavior of the plant is limited to this set of admissible
behaviors.
To say that the procedure above will always result in a maximally permissive control law, the
following two points would have to be proved.
1. The maximally permissive control law associated with a plant and constraint lTµp≤bcan
always be expressed as the disjunction of other linear state inequalities.
2. The transformation procedure in Lemma 9 covers all valid constraint transformations, i.e., if
for all µp≥0 such that l0Tµp≤b0,lµp≤bis also true, then (l0,b
0) can be expressed as a
linear function of (l, b) according to the rules and assumptions of Lemma 9.
Li and Wonham [13] have shown that condition 1 is true when the uncontrollable portions of a
plant have a certain “tree structure” (see [13]). But for the general case, the answer is not known.
1A Procedure for enforcing these with a modified PN controller is presented in section 6.
19
6 Enforcing Disjunctions of Linear Constraints
6.1 Description of Method
The inequality
Lµp≤b(32)
represents the logical intersection, or conjunction, of ncseparate linear inequalities. That is, if liis
the ith row of Land biis the ith element of b, then (32) is equivalent to
nc
^
i=1
lT
iµp≤bi
The feasible solutions to the inequalities form a convex region [6], and the behavior of a Petri net
can be restricted to this region by adding further PN structures to the net as was shown in section
3. A logical union, or disjunction, of linear constraints is, in general, nonconvex and can not be
enforced with maximal permissivity on a Petri net through the use of other Petri net structures
due to the linear nature of reachable PN state spaces. A proof of this claim appears in [15].
This section will show how a slight modification to the evolution rules of the controller net
can be made such that it will act as a maximally permissive supervisor for a class of nonconvex
constraints.
The following disjunction of linear inequalities is to be enforced on the marking of a plant with
initial marking µp0∈ZZn(all elements nonnegative) and incidence matrix Dp∈ZZn×m.
nc
_
i=1
lT
iµp≤bi(33)
where li∈ZZnand bi∈ZZ.Let
Dci=−lT
iDp(34)
and
µci0=bi−lT
iµp0(35)
for 1 ≤i≤nc. This procedure is the same as detailed in section 3, thus each pair (Dci,µ
ci)isa
maximally permissive PN supervisor for enforcing the constraint lT
iµp≤bi. However if all of these
supervisor elements were to be simultaneously enforced on the plant, then the result would be the
logical intersection of the constraints rather than their union.
In order for the controller to enforce a disjunction of inequalities, at least one of the inequalities
lT
iµp≤bimust be true at every transition firing iteration of the net’s evolution. Let
L=hl1l2··· lnciT
so that
Dc=−LDp(36)
and
µc0=b−Lµp0(37)
20
which is identical to the controller construction from section 3. However, the enabling rule for the
controller portion of the net must be changed such that it insures that at least one of the inequalities
is being obeyed at all times rather than all of them at all times.
A firing vector qis valid (indicates the firing of an enabled transition) iff
D−
pq≤µp(38)
and
µci+Dciq≥0forsomei∈1...n
c(39)
Inequality (38) is the standard PN enabling condition for a plant that may include transitions with
self loops. The enabling condition for the controller (39) does not include any D−
citerms because
controllers constructed according to the rules in section 3 do not contain self loops. Condition (39)
may also be written nc
max
i=1 (µci+Dciq)≥0 (40)
Note that it is still true that
Lµp+µc=b(41)
however, unlike the standard nonnegative slack variables from before, many of the elements of
this µcmay be negative. The restriction placed by condition (40) insures that at least one of the
elements is nonnegative, and thus at any time, at least one of the inequalities in (33) is being
satisfied.
Proposition 12. Maximal permissivity of disjunction-enforcing controllers. Acon-
troller constructed according to (36) and (37) using enabling rule (40) is a maximally permissive
supervisor for the enforcement of constraint (33) on the plant (Dp,µ
c0)iff
µci0≥0forsomei∈1...n
c.(42)
Proof. If condition (42) is not met, then the initial conditions of the plant violate the constraint
(33) according to equation (37), and the constraint can not be enforced.
Equation (41) shows that the state space of the closed loop system being outside the bounds
of constraint (33) is equivalent to the situation when all the elements of µcare negative. However
this is the only condition that is prevented by enabling rule (40). The only time the controller will
intervene to disable a transition is when the firing of that transition would cause a direct violation
of constraint (33), and thus the supervisor is maximally permissive.
Remark. The simple rules that govern ordinary Petri net behavior are what help to make the
PN model so attractive both for analysis and implementation. The reluctance to modify this model
for the enforcement of nonconvex constraints on PN plants is overcome for the following reasons.
1. The ability to handle the disjunction of linear constraints as well as their conjunction is a
powerful advancement in the utility of the method and is necessary for the proper solution of
problems in many applications.
21
2. Disjunctions of linear constraints are important for the permissive enforcement of linear con-
straints under conditions in which transitions may be uncontrollable or unobservable.
3. The modified rules for controller state evolution involve only a slight modification of the
ordinary transition enabling rule. Analysis and implementation are very similar to that of
ordinary Petri nets.
p1
t4
p2
p3 p4
p5
p6
p7
t2
t3
t9
t5
t6
t7 t8
t1
p8
p9p10
t10
t11
t12
c1a
c1b c2
c3
Figure 4: The final structure of the assembly cell and supervisor. Places c1aand c1bobey the
modified PN enabling rule (40) in order to enforce the nonconvex constraint (45).
6.2 Example – An Uncontrollable Loop is Added to the Assembly Cell
The robots of the piston rod robotic assembly cell are not 100% reliable. It is possible that the
M-1 robot will fail to properly secure a piston cap to its rod. The plant is now augmented with an
error recovery loop that is considered to be under the supervision of an auxiliary controller. The
modified structure is shown in Figure 4. The uncontrollable firing of transition t10 indicates that a
fault has occurred. Place p9is then marked with the number of M-1 robots that have experienced
faults and have entered the recovery loop. Tokens in p10 represent the combined actions of M-1 and
S-380 robots to replace and realign the appropriate parts so that the procedure can begin again at
p6. The new transitions, t10,t
11,andt12 are all considered uncontrollable and unobservable to the
resource managing supervisor.
Constraints (11) and (12) need to be rewritten to account for the use of the two robots in the
recovery loop. An S-380 robot is used in p10, and the M-1 robot is required in both p9and p10.
The new constraints are then
µ2+µ3+µ10 ≤3 (three S-380 robots) (43)
µ5+µ6+µ7+µ8+µ9+µ10 ≤3 (three M-1 robots) (44)
Following the procedure of section 5.2, the kernel, X, of the unobservable incidence matrix,
22
Duo, is computed:
1000000000
0100000000
0010000000
0001011111
0000111111
|{z }
X
Duo =0
Admissible constraints will be linearly dependent with the rows of X. The left hand side of (44) is
equal to row five of X, thus the constraint is admissible and requires no transformation. In order
to make the left hand side of (43) an element of the kernel of Duo, we can either add the missing
elements from row four or row five of X. Because there is a choice, the transformed constraint will
be written as a disjunction of the two candidate inequalities.
(µ2+µ3+µ4+µ6+µ7+µ8+µ9+µ10 ≤3) ∨(µ2+µ3+µ5+µ6+µ7+µ8+µ9+µ10 ≤3) (45)
A controller is calculated to enforce (45) using the procedure described in section 6.1. The
supervisor, shown with its connections to the plant in Figure 4, is maximally permissive.
7 Control Specifications
Constraints of the form Lµp≤b(inequality (5)) are useful for representing a large variety of
forbidden state problems. This section will show how several common varieties of system constraints
can be written in the form of (5), enabling the use of invariant based control.
Section 7.1 shows how the management of finite resources can be handled using invariant based
control. Section 7.2 discusses equality constraints and demonstrates how attempts to enforce them
with invariant based controllers can lead to deadlock. Section 7.3 explains how both direct and
indirect enforcement of constraints on events, i.e., linear inequalities involving the firing vector, can
be handled using the invariant based control method. In section 7.4, a class of logical predicates on
plant behavior are transformed into systems of linear inequalities to be enforced by a supervisor.
Section 7.5 explains how the techniques for supervision of ordinary Petri nets can be expanded to
timed Petri nets and real-time constraints.
7.1 Modeling of Finite Resources
A finite resource is a tool or material with limited supply that is required by one or more agents
for the completion of a job or to carry out some action. The availability of finite resources places
implicit constraints on feasible actions within a system. These constraints can be written as linear
inequalities on the state. Let bibe the total number of available units for resource i.LetRibe
a set of places associated with finite resource i. Every token in the places making up the set Ri
represents the use of one of the resources. A linear constraint on the marking can then be written
X
µj∈Ri
µj≤bi(46)
23
Suppose that a resource suddenly becomes available or the number of available resources changes
in some other way during the operation of the plant. This situation could be handled by modifying
the token count in the appropriate controller slack place, i.e., the number bion the right hand side
of (46) could be modified dynamically. According to Theorem 1, dynamic modifications to bin a
constraint inequality will not change the structure of the controller. The arcs and their associated
weights will remain the same. The only change would be in the marking of a controller place to
correspond to the new slack value. Though this scheme would work, it is not very elegant from the
point of view of Petri nets, i.e., tokens should not appear and disappear from a net without the
corresponding firing of transitions.
Figure 5 shows how the resource controller places can be augmented with two uncontrollable
transitions and a place in order to model the loss of finite resources while maintaining the standard
Petri net framework of the model. Under normal operation, the token in the resource place is used
to permit the firing of the plant transition. However the loss of the finite resource now corresponds
to the firing of an uncontrollable transition which robs the “resource is available” place of its token
and stalls the operation of the plant. Another uncontrollable transition is then used to replace the
missing token when the resource once again becomes available.
Plant
place Resource
is available
Uncontrollable
Transition
Resource is
unavailable
Uncontrollable
Transition
Figure 5: Modeling the loss of a finite resource using uncontrollable transitions.
Remark. It may seem odd that the structure shown in Figure 5 contains uncontrollable transi-
tions connected directly to the PN controller places. The reason these transitions have been marked
uncontrollable is because it may not be possible to know when they will fire, and it does not matter
to the controller. The “Resource is available” place in the controller represents the standard invari-
ant based controller place that keeps track of the slack associated with its given constraint. The
“Resource is unavailable” place can “steal” tokens from the primary place, thus reducing the slack
and reducing the number of resources that can be allocated to the plant. The associated transitions
here may be considered uncontrollable, but they still must obey standard PN rules, thus a resource
will not suddenly become unavailable if it is currently in use in the plant. If resources that are
currently in use may become unavailable at any time, the modeling and management of them must
be handled differently by incorporating this behavior in the plant model itself.
24
7.2 Equality Constraints
Though rare, in some circumstances the control designer may wish to insure that the token
count in a set of places remains constant. For example, suppose we have a Petri net describing
the task distribution in a multiprocessor computer, and the designer wants to insure that there are
always two processors (no more and no less) available to handle I/O. Consider a chemical processing
plant where tokens representing reactants in a set of places must be kept constant to maintain a
desired chemical equilibrium. Constraints like these may take the form of an equalities, rather than
inequalities.
Equality constraints have the form
Lµp=b(47)
Equation (47) defines place invariants on the original process net. This is really a specification for
the system and should have been incorporated into the Petri net model before attempting to use
supervisory control. If this invariant is not already part of the Petri net model, it should become
one by modifying the incidence matrix Dpof the plant. The new elements of Dprepresent the arcs
that should be added to the Petri net so that the place invariants are enforced.
It may seem feasible to use the place invariant control method to force Lµp≤band Lµp≥b
to achieve the constraint of equation (47). Unfortunately this approach will produce undesirable
results as described by the following proposition.
Proposition 13. Enforcement of equality constraints leads to deadlock. Enforcing con-
straint (47) by creating invariant based controllers for the constraints
Lµp≤b, and (48)
−Lµp≤−b(49)
will
1. have no effect on the plant’s behavior, or
2. create a local deadlock in the plant (the system will not be live).
Proof. Suppose that the natural behavior of the plant already meets the desired constraint. In
this case, Ldescribes a set of place invariants in the plant and LDp= 0. Equation (9) shows that
the controller for constraint (48) or (49) is given by Dc=±LDp= 0. Thus the controller will have
no arcs to the plant transitions, and it will have no effect on the plant’s behavior.
Now suppose that Ldoes not include natural invariants of the plant. In this case, the controller
incidence matrices for (47) and (48) are given by
Dc1=−LDp6=0
Dc2=LDp=−Dc1
25
Since Dc1=−Dc2, all output arcs of the places in Dc1are input arcs of the places in Dc2and vice
versa. Thus the set of control places forms a siphon.
The initial marking, µp0, of the plant must satisfy Lµp0=bor it would not have been feasible
to attempt to enforce (47). Equation (10) gives the initial markings of the control places:
µc10=b−Lµp0=0
µc20=−b+Lµp0=0
Thus the set of control places forms an unmarked siphon and all of the transitions to which
these places are connected will be dead.
7.3 Constraints involving the Firing Vector
Certain control goals may involve the firing vector of the Petri net as well as or opposed to the
places. For example one might need to insure that two transitions do not fire simultaneously or
that a certain transition is never allowed to fire when a certain place holds a token. There are two
ways that constraints like these may be viewed. For the constraint
µi+qj≤1 (50)
do we mean that transition jshould be disabled whenever place icontains a token, or do we mean
that all plant states that would allow transition jto be enabled are forbidden whenever place
icontains a token? The answer to this question lies in the particulars of a given plant and its
operation. Both means of enforcing the constraint can be useful for different problems.
Section 7.3.1 describes rules for enforcing firing vector constraints using the “direct” interpre-
tation, i.e., transitions are explicitly disabled in order to satisfy the inequality. Algebraic schemes
for handling the “indirect” interpretation of firing vector constraints were proposed in [32]. A new
approach is presented in section 7.3.2 that uses the concept of uncontrollable transitions to force
a correct interpretation of each constraint, thus avoiding the enumeration of separate cases that
appeared in [32].
7.3.1 Direct Realization
Assume that the plant must satisfy constraint (50). The direct interpretation of this constraint
implies that transition tjcannot fire if place piis marked, and, of course, place ican never contain
more than one token. To bring this constraint to a form that contains elements of the marking
vector only, the plant is transformed as follows. Transition jis replaced by two transitions and a
place between them, as shown in Figure 6. This transformation is artificial and will not affect the
Petri net model of the process. Its sole purpose is to introduce the place pj0, which records the firing
of the transition tj.After the controller has been computed the plant will be transformed back to
its original form.
The marking µj0of pj0replaces qjin constraint (50), which becomes
µi+µj
0≤1 (51)
26
tjtjpjtj
’’
Figure 6: Transformation of a Transition.
The constraint now contains only µ’s and a controller can now be computed. After the controller
structure is computed, the two transitions and the place of the transformation collapse to the
original transition thus restoring the original form of the plant while maintaining the enforcement
of the new constraint. The same transformation is done to all the transitions that appear in the
constraints. Constraints that contain only q’s, i.e., constraints on allowable firing vectors with no
concern for specific markings, are treated in the same way.
In terms of Figure 6, output arcs from the controller would normally be connected to transition
tj, and input arcs to the controller would be connected to t0
j. The act of collapsing the transformed
structure back to its original form will cause both the input and output arcs to be connected to the
original transition tj. Unlike standard invariant based controllers, this means that the controller
may contain self loops to the transitions indicated in the constraints. Separate D+
cand D−
cmatrices
must be maintained for the controller and used when determining enabled and disabled transitions.
In summary, given a plant (Dp,µ
p0) and constraint
lTµp+fTq≤b, f ≥0 (52)
the invariant based controller (Dc=D+
c−D−
c,µ
c0)isgivenby
D+
c=max(0,D
+
lc −D−
fc) + max(0,D
+
fc −D−
lc) (53)
D−
c=max(0,D
−
lc −D+
fc) + max(0,D
−
fc −D+
lc) (54)
µc0=b−lTµp0(55)
where
D+
fc =D−
fc =fT(56)
and
D+
lc =max(0,D
lc) (57)
D−
lc (j)=max(0,−Dlc) (58)
where
Dlc =−lTDp(59)
and the notation max(0,a) refers to a vector equal to abut with all negative elements replaced with
zeros. The equations above account for both the transformation of transitions and the collapse of
the transitions back to the original form of the net. Equations (53) and (54) allow arcs from the
Dlc and Dfc portions of the control to cancel each other, but do not allow the self loops in D+
fc and
D−
fc to cancel each other.
27
The remainder of this subsection provides an analysis of the admissibility of firing vector con-
straints using the direct interpretation. Similar to Corollary 6, the following corollary defines when
a constraint on the firing vector of a Petri net is admissible.
Corollary 14. Transition-constraint admissibility. The single vector constraint fTq≤b,
where f, b ≥0, is admissible under direct transition-constraint implementation on a plant with
controllable transitions Tc,if∀js.t. fj6=0,t
j∈Tc.
Proof. The proof is by Proposition 5 on general constraint controllability. The direct transition-
constraint enforcement method for the constraint fTq≤bis maximally permissive since it is
constructed as an invariant based controller. The initial marking of the controller µc0=bis valid if
b≥0. The incidence matrix of the controller D+
c=D−
c=fTcontains input arcs to all transitions
jsuch that fj6= 0. If all of these transitions are controllable, then the controller draws no arcs to
uncontrollable transitions and the constraint is admissible.
The admissibility of combined marking/firing constraints, lTµp+fTq≤b, will be discussed for
the situation in which the constraints are uncoupled.
Definition 15. A constraint of the form (52), where f≥0, is called uncoupled if
Tl∩Tf=∅
where Tlis the set of transitions that are connected to the controller induced by the lTµpportion of
the constraint (transitions tjsuch that Dlc(j)6= 0 in equation (59)), and Tfis the set of transitions
connected to the controller induced by the fTqportion of the constraint (transitions tjsuch that
fj6=0).
Constraint (52) is uncoupled if the transitions involved in the lTµpand fTqportions of the
constraint are mutually exclusive.
Remark. When constraints are uncoupled, equations (53) and (54) reduce to
D+
c=D+
lc +D+
fc
D−
c=D−
lc +D−
fc
Proposition 16. Uncoupled place/transition constraints. A vector constraint of form (52)
is uncoupled iff
∀is.t.f
i6=0,l
TDpei= 0 (60)
where eiis a zero-vector with a 1 in the ith place.
28
Proof. The set of plant transitions that will contain arcs to or from the controller is determined
from the controller synthesis equations. This set is the union of the transitions connected by arcs
induced by the lTµpand fTqportions of the constraint, i.e., Tf∪Tl. Equation (56) indicates that
Tf={tj|fj6=0}(61)
and equations (57) and (58) show
Tl={tj|lTDpej6=0}(62)
Combining these with condition (60) implies
Tl∩Tf=∅(63)
The sets of transitions used by the two portions of the controller are mutually exclusive and
the constraint is uncoupled according to definition 15.
It is easy to see that if the constraints are uncoupled, i.e. Tl∩Tf=∅, then (60) must be true
by working backward through the development above. If (60) were not true, then there would exist
some ti∈Tfand ti∈Tl, which would imply through equations (61) and (62) that Tl∩Tf6=∅and
the constraints were coupled.
Proposition 17. Place/transition constraint admissibility. An uncoupled vector con-
straint of form (52) is to be imposed on a plant (Dp,µ
p0) with uncontrollable transitions Tuc
and controllable transitions Tc,T
uc ∩Tc=∅.
if the constraints
lTµp≤b(64)
fTq≤|b|(65)
are both admissible then lTµp+fTq≤bis admissible.
Proof. If the admissibility of constraints (64) and (65) imply that (52) is admissible, then the
inadmissibility of (52) will imply that either (64) or (65) is inadmissible or both. For lTµp+fTq≤b
to be inadmissible, it must lie outside the range of the plant’s initial conditions, or a maximally
permissive controller that enforces the constraint would attempt to inhibit an otherwise enabled
transition in the set Tuc. Because (52) is uncoupled, the transitions that are connected to the
controller places, Tfand Tl, are mutually exclusive. This means that at least one of the following
three cases must be true for lTµp+fTq≤bto be inadmissible.
1. The initial conditions of the plant violate the constraint.
2. The controller would attempt to inhibit a transition tj∈Tuc,wheretj∈Tf.
3. Or the controller would attempt to inhibit an otherwise enabled transition tj∈Tuc,where
tj∈Tl.
29
Case 1: The initial state of the plant is µp0. The firings indicated by the vector qare determined
after the system commences its run, thus if the initial conditions of the plant violate constraint
(52), then
lTµp0>b
This condition would also indicate that the constraint lTµp≤bis inadmissible according to Corol-
lary 6.
Case 2: According to the construction of the maximally permissive controller for direct transi-
tion constraints, the transitions in the set Tfare identical to the transitions that receive controller
arcs in the constraint fTq≤|b|. If the controller attempts to inhibit an uncontrollable transition
in this set, then the constraint fTq≤|b|is inadmissible according to Corollary 14.
Case 3: The construction of the maximally permissive controller for the constraint lTµp≤b
shows that the transitions that receive controller arcs for this constraint are identical to the set Tl.
If the controller for constraint (52) attempts to disable an otherwise enabled transition in the set
Tl, then the constraint lTµp≤bwill be inadmissible according to Corollary 6.
Thus if both lTµp≤band fTq≤|b|are admissible, then lTµp+fTq≤bis also admissible.
The use of the propositions and definitions above are illustrated using a process control example
in [16].
7.3.2 Indirect Realization
Firing vector constraints can be realized by preventing the states that would allow the unde-
sirable transition firing; this situation is analogous to the case when a transition is uncontrollable
but is involved with regular marking constraints. Illegal states are prevented in the presence of
uncontrollable transitions by preventing those states which could lead, through uncontrollable tran-
sitions, to the explicitly forbidden states. The results for uncontrollable transitions can be applied
to constraints involving the firing vector through utilization of the graph transformations discussed
in the previous section.
The procedure is illustrated in the example below.
Example. For the plant of Figure 7a, we wish to enforce the constraint
µ2+q3≤1 (66)
Place p2is never to have more than one token and transition t3should never fire when this place is
occupied. This problem could be solved simply by applying the technique of the previous section,
but suppose instead of directly controlling the transition we want to prevent the states that could
lead to the constraint being violated. Because the Petri net is so simple, we can see by inspection
that the job can be done by enforcing the constraint µ2+µ3≤1. But how can this new constraint
be generated automatically based on (66)?
30
a)
p2 p3
p1
t2
t1 t3
b)
p2 p3
p1
t2
t1
t3
t3’
p3’
Figure 7: a) A simple net that will have a firing constraint enforced. b) The graph-transformed
net of the net in Figure 7a.
Suppose we perform the graph transformation on this net as shown in Figure 7b. The transfor-
mation changes (66) to
µ2+µ0
3≤1 (67)
If we continue to follow the procedure described in section 7.3.1, we would end up with a controller
that directly enables and disables transition t3. In order to prevent this from occurring, we will
label transition t3as uncontrollable and then continue with the procedure.
Applying the method from section 4.3 to (67), we obtain the following transformed constraint:
µ2+µ3+µ0
3≤1 (68)
The controller that enforces this constraint can be automatically generated using the place invariant
method and is shown in Figure 8a.
The final stage is then to collapse the controlled net back to the form it had before the graph
transformation was performed. The final controlled version of the net is shown in Figure 8b.
Transition t3will not fire when place p2contains a token because the controller only allows one
token at a time in places p2and p3, which is the desired result.
The procedure used in the example is summarized below. Given a constraint
lTµp+fTq≤b(69)
(where lmay be zero, indicating a constraint on the firing vector alone,) first perform a transfor-
mation of the plant such that each transition specified by a nonzero entry in fincludes a dummy
place to mark its firing as described in section 7.3.1. The marking vector µ0is associated with the
dummy places and the constraint becomes
hlTfTi"µp
µ0#≤b(70)
31
a)
p2 p3
p1
t2
t1
t3
t3’
p3’
b)
p2 p3
p1
t2
t1 t3
Figure 8: a) The net of Figure 7b with its Petri net controller. b) The untransformed net of Figure
7a with its Petri net controller.
Next mark all transitions specified by nonzero entries in fas uncontrollable. Use established
techniques for the handling of uncontrollable transitions to find an admissible constraint that en-
forces the inadmissible constraint (70) and construct a supervising controller for this constraint.
This will have the effect of preventing the states that could lead to (70) being violated. It will
prevent the transitions specified by ffrom being enabled such that constraint (69) could be vio-
lated. Finally, collapse the net back to its original form by removing the dummy places and extra
transitions as described in section 7.3.1.
7.4 Logical Constraints on System Behavior
The transformation of logic-based constraints on system behavior into systems of linear inequal-
ities has been studied by Yamalidou and Kantor [30,31]. These transformations apply to safe nets,
meaning that no place in the network can have more than one token at any time. In this case, all
places have two states: either they contain a token or they do not. Similarly all transitions can be
viewed as having two states: either they will fire in the current iteration of the system’s evolution
or they will not. This means that both places and transitions have binary valued states in a safe
net and they can be viewed as boolean variables.
Consider the simple network in Figure 9a. We wish to enforce the constraint
if µ16=0,then q3= 0 (71)
One method of doing this would be to introduce an inhibitor arc into the Petri net model as shown
in Figure 9b. The arc between p1and t3is terminated with a circle indicating that the arc will
inhibit the firing of transition 3 whenever place 1 contains any tokens. Unfortunately, with the
addition of an inhibitor arc, we are no longer dealing