- Email: [email protected]
Synthesis of feedback control logic for discrete manufacturing systems
0005-1098/91 $3.00 + 0.00 Pergamon Press plc (~ 1991 International Federation of Automatic Control
Automatica, Vol. 27, No. 4, pp. 641-651. 1991 Printed in Great Britain.
Synthesis of Feedback Control Logic for Discrete Manufacturing Systems* B R U C E H. K R O G H t ¢ and L A W R E N C E E. H O L L O W A Y t
Using Petri nets with auxiliary inputs to model the open-loop dynamics of discrete manufacturing processes, feedback control logic can be synthesized to guarantee the system remains in the set of admissible operating states. Key Words--Computer control; control system synthesis; discrete systems; manufacturing processes; supervisory control; synthesis methods.
AImlraet--This paper concerns the supervisory coordination and control of concurrent activity cycles in automated manufacturing facilities. In contrast to commonly used simulation models which integrate the control policy with the system model, the state transition logic for the manufacturing equipment is represented by a class of controlled Petri nets (CtIPN) with external inputs to be determined by the control synthesis algorithm. We formulate the forbidden state control problem in the CtIPN context and present an algorithm for generating maximally permissive controls which guarantee the system will avoid the forbidden states while permitting a maximal amount of flexibility in the system operation. The problem formulation and control synthesis algorithm is illustrated for an example of AGV co-ordination, and several classes of manufacturing control problems which can be addressed within this framework are identified.
objective of the research described in this paper is to develop tools for automating the control synthesis process so that supervisory policies can be generated automatically to satisfy specifications for the desired (closed-loop) system behavior. In this paper we present a generalization of the algorithm in Holloway and Krogh (1990) to synthesize maximally permissive state feedback policies to satisfy forbidden state specifications in discrete manufacturing systems. Discrete manufacturing systems can be modeled as a collection of interacting, asynchronous, concurrent discrete event systems. Following an approach similar to Ramadge and W o n h a m (1987a), our discrete event models have external control inputs which can enable and disable state transitions in the system. The objective is to synthesize the feedback logic to generate the appropriate control inputs based on real-time feedback data from the system sensors. We model the state-transition dynamics in a manufacturing system as a controlled Petri net (CtIPN),§ which is an extension of standard Petri nets with external control inputs as additional enabling conditions on transitions (Krogh, 1987; Ichikawa and Hiraishi, 1988). This modeling formalism allows us to represent the local behavior of subsystems, and the uncontrolled interactions between subsystems, independent of a particular supervisory control policy. We consider manufacturing control problems in which the control objective can be specified in terms of forbidden states, such as undesirable operating conditions for which the production goals cannot be satisfied, or catastrophic situations in which data or equipment can be damaged. Supervisory control and forbidden
1. INTRODUCTION MODERN AUTOMATEDmanufacturing facilities are composed of multiple locally-controlled subsystems, such as machines, transport systems, and storage areas, which must be coordinated by a supervisory controller to achieve the production goals. While many modeling and simulation tools have been developed for evaluating the performance of the system under given control policies, the actual synthesis of the supervisory control logic is typically by trial and error, relying on the experience and insight of the engineers designing the system. The long-term *Received 11 February 1990; revised 29 July 1990; received in final form 20 October 1990. The original version of this paper was presented at the IFAC Workshop on Decisional Structures in Automated Manufacturing which was held in Genova, Italy during September, 1989. The published proceedings of this IFAC Meeting may be ordered from: Pergamon Press plc, Headington Hill Hall, Oxford OX3 0BW, U.K. This paper was recommended for publication in revised form by Editor A. P. Sage. t Laboratory for Automated Systems and Information Processing, Department of Electrical and Computer Engineering, Carnegie Mellon University, Pittsburgh, PA 15213, U.S.A. ~tAuthor to whom all correspondence should be addressed.
§ Controlled Petri nets were first referred to as CPNs in Krogh (1987). We use CtIPN in this paper to avoid confusion with the standard abbreviation for Colored Petri Nets. 641
642
B.H.
KROGH and L. E. HOLLOWAY
state problems occur at all levels of the manufacturing system control hierarchy, ranging from the low-level interaction between equipment controllers and devices, through the coordination of workcells, to the factory-wide coordination of workstation controllers. The control synthesis procedure developed in this paper can be applied at any of these levels. Forbidden state problems for discrete event systems were originally considered by Ramadge and Wonham (1987b) in the context of finite state machines. The objective is to synthesize a feedback policy which guarantees the system will not enter a forbidden state. Previously proposed methods for solving the forbidden state problem involve essentially an exhaustive search of the entire state space for the system. While this approach has been used to solve simple examples, it is computationally prohibitive for nontrivial applications. The solution method presented in the following sections takes advantage of the graphical PN representation of the system to avoid an exhaustive analysis of the state space. The state feedback policy presented in this paper generalizes the state feedback policy developed in Holloway and Krogh (1990) in two ways. First, the forbidden states are specified with a more general form of set conditions which leads to a significant reduction in the on-line computations. The second generalization pertains to the nature of the feedback policy itself. The feedback policy in Holloway and Krogh (1990) concerned only the set of maximally permissive controls. Any control that enables more CtlPN transitions than a maximally permissive control would allow the system to eventually enter a forbidden state. The feedback policy developed in the present paper determines a maximal set of admissible controls for each state. This set will include the maximally permissive controls as its maximal elements. Rather than determine the maximally permissive controls, the feedback policy identifies the complete set of controls which will guarantee the system will not enter a forbidden state. Thus, we propose a nondeterministic feedback policy that determines constraints on the control decision which must be satisfied regardless of the other operating objectives. The specific control to be applied to the system can then be selected from this set to satisfy criteria related to system scheduling requirements or other performance specifications.
which each place has exactly one input arc and one output arc. CMG models capture the concurrent sequential flow of operations for multiple subsystems in a manufacturing facility. In many cases, a CMG is sufficient for modeling the normal operation of a discrete manufacturing system. Equipment and material often cycle through fixed sequences of states which are coordinated and synchronized by the supervisory controller. We note that much of the literature on models for performance analysis restricts attention to this type of concurrent sequential behavior (Dubois and Stecke, 1983; Hillion and Proth, 1989; Perkins and Kumar, 1989). Extensions of the CMG formulation to applications involving nonsequential flow, such as re-work and error recovery cycles, is an area of current research. Formally, a CtlPN is a five-tuple q3= {~, 3-, ~, ~, ~ , m0} where ~ is a finite set of state places, 3- is a finite set of transitions, c ( ~ x 3-) U (3- × ~) is a set of directed arcs connecting state places and transitions, c~ is a finite set of control places, ~ c (c~ x 3-) is a set of directed arcs associating control places with transitions, and m0: ~--~ 2( is the initial marking of the CtlPN, where N is the set of non-negative integers. A cyclic controlled marked graph (CMG) is a CtlPN meeting two criteria (Reisig, 1982): (1) for every p e ~, there exists only one t e 3- such that (p, t ) • ~ and there exists only one t • 3such that (t, p) • ~ (i.e. there exists a unique arc into and a unique arc out of every place in ~), and (2) the net must be covered by cyclest (i.e. each place p • ~ must be contained in some cycle). The marking of a CMG indicates the distribution of tokens in the state places. We consider initial markings for which: (1) every cycle in ~d contains at least one marked place; and (2) every place p • ~ is contained within some cycle which has exactly one marked place. The set of all such markings is denoted by M. We note that the markings in M are binary and the set of all reachable markings (as defined below) starting from any initial marking in M is contained in M. This is a consequence of being the set of all live and safe markings for the CMG (Reisig, 1982). Figure 1 illustrates the graphical representation of a CMG in which circles represent state places, squares represent control places, and bars represent transitions. Tokens in the
2. CONTROLLED MARKED GRAPHS We consider systems modeled by controlled marked graphs (CMGs), the class of CtlPNs in
t A cycle in a CtlPN is a directed path beginning and ending at the same node (place or transition) with all other nodes in the path occurring only once.
Synthesis of feedback control logic
©
tl
®
I
O
-I
FlG. 1. A controlled marked graph (CMG).
CMG are represented by dots in the places. In manufacturing applications, each cycle in the CMG represents a cyclic activity in the manufacturing process, and the single token per cycle corresponds to the current state of a subsystem activity cycle. A control u : ~---~ {0, 1} assigns a binary token count to each control place. The collection of all controls will be denoted by 0//. A control ul is said to be more permissive than a control u2 (denoted by Ul >t/2), if UI(C)~U2(C ) for all c • c¢ and if ua(c) > u2(c) for at least one c • % In Fig. 1, a control Ul such that u~(c~) = u1(c3) = u1(c4) = 1 and u1(c2) = 0 is more permissive than a control u2 where U2(Cl)=U2(C4)=I and u2(c2) = u2(c3) = 0 . The control u .... where Uone(C) ----1 for all c • q¢, is more permissive than any other control; and all controls which are not identically zero are more permissive than the control u ..... where u .... (c) = 0 for all c • q¢. A state transition occurs (i.e. the C M G marking changes) when an enabled set of transitions in the C M G fires, where these terms are defined as follows. A set of transitions T = 3is state enabled under a marking m if all state places with directed arcs into transitions in T are nonempty. Similarly, T is control enabled if all control places with directed arcs into transitions in T are nonempty. A set of transitions is enabled if it is both state enabled and control enabled. When an enabled set of transitions T fires, a token is removed from each state place which has an arc to any transition t • T and a token is added to any state place which has an arc from any transition t • T. We note that since transition firing does not remove tokens from control places, conflict (in the Petri net sense) is not introduced when a control place is connected to more than one transition. Multiple transitions connected to a single control place can fire simultaneously if they are control and state enabled. For example, consider the C M G of Fig. 1 under the control u where u(c O=u(c2)-u(c4) = 1 and u ( c 3 ) = 0. Transitions t2 and t 3 are enabled, but transition tl is not enabled since the control place c3 contains a zero token count.
643
Thus, either or both of the transitions t2 and t 3 can fire under the marking and control shown in Fig. 1. In this paper we are interested in (nondeterministic) state feedback policies of the form U:~t---~2 ~u. A feedback policy maps each marking m • At into a set of controls U(m) ~ ~. A feedback policy /-/1 is more permissive than a feedback policy U2 (denoted by U~ >/-/2) if for all markings m • AI, Ul(m) ~_ U2(m) and Ul(m') U2(m') (strict containment) for some m ' • ~ . A marking m ' is reachable from an initial marking m under a feedback policy U if there exist a sequence of markings m0 . . . . . mN with m 0 = m and m s = m', a sequence of controls uo•U(mo),...,uN_l•U(mN_O, and a sequence of sets of transitions To, . . •, TN-1, such that T~ is enabled under marking mj and control uj for j = 0 . . . . . N - 1, and firing the sequence of transition sets results in the sequence of markings. The set of reachable markings for a marking m under a control u (resp. feedback policy U) will be denoted as ~ ( u , m) [resp. ~ ( U , m)]. It is easily shown that if u~>u2 (resp. U1 > U2), then ~ o ( u l , M) _~ 3~(u2, m) [resp. ~ ( U I , M) _~ ~ ( U 2 , m)] (Krogh, 1987).
An example To illustrate the application of C M G models to manufacturing systems, we consider the example of coordinating multiple automated guided vehicles (AGVs) on a factory floor which was briefly described in Holloway and Krogh (1990). We consider the same example in this paper so that the advantages of the more generalized algorithm presented herein can be illustrated. The C M G in Fig. 2 models an automated material handling system consisting of five A G V s which transport material between pairs of stations. Each A G V can execute a cyclic route in the system where corridors (or zones) along the routes are represented by places in the CMG model. For example, A G V A moves between an input parts station and workstation 1, and A G V B moves between an input parts station and workstation 2. The A G V s synchronize with the stations through shared transitions. These synchronization points represent the loading or unloading of parts at the stations. A G V s wait at these locations for fixtures or parts to become available. The marking of the C M G model represents the current locations of the A G V s in their various cycles. For example, the token in the place Po, indicates A G V D is ready to depart from workstation 1. The different A G V paths cross each other in the shared zones, represented by the shaded regions in Fig. 2. To avoid
644
B.H.
KROGH and L. E. HOLLOWAY Workstation 1
FIG. 2. CMG model of a manufacturing system.
collisions, only one A G V should be in one of the shared zones at any time. A centralized controller (supervisor) is responsible for coordinating the departure of A G V s from the workstations. The supervisor can inhibit or enable the departure of an A G V from a workstation by changing the token load in a control place. For example, a control u with u(c4) = 0 will prevent the departure of A G V B from the input parts station; a control u with u(c4) = 1 will enable the departure of A G V B. The supervisor must guarantee that no two A G V s simultaneously occupy one of the shared zones. This operating constraint is specified as a forbidden state problem in the following section. Given a marking of the C M G , the maximally permissive feedback policy for this example will generate the maximal set of controls which guarantee no collisions will occur. The supervisor can then select from a m o n g these admissible controls to optimize the material transfer operations in the system.
3. FORBIDDEN STATE SPECIFICATIONS Forbidden state problems for manufacturing systems involve the synthesis of control policies which guarantee the system never enters a specified set of undesirable states. In discrete manufacturing systems, control specifications that can be formulated as forbidden state problems include: Resource conflicts. Attempts by more than one system component to access the same resource can be modeled in terms of mutual exclusion conditions on the individual c o m p o n e n t states. Deadlocks. Circular wait conditions for a set of resources correspond to forbidden states in which some processes will be delayed indefinitely. Sequencing specifications. Sequencing requirements, such as priority access to resources and operation precedence relations, can be expressed in terms of forbidden states in which the desired sequencing has been violated. Buffer overflow. Finite buffer capacities define a class of forbidden states in which the buffer capacities have been exceeded. Operation rules. Many constraints on the operation of manufacturing systems can be expressed as preconditions for the execution of various operations. These rules can be translated into equivalent specifications of the forbidden states in which the operational rules have been violated. The A G V example illustrates the representation of resource conflicts as forbidden states. Each shared zone represents a resource that can be used by only one A G V at a time. A forbidden state is any marking for which there is more than one A G V in any shared zone, corresponding to a potential collision between AGVs. Given a specification of these forbidden conditions for the A G V system, the supervisory control logic must assure the system never enters a forbidden state. The marking of a C M G model for a discrete state system provides a distributed representation of the system state. This state representation can be exploited to specify the set of forbidden states efficiently. The need for an efficient specification of the set of forbidden states is illustrated by the A G V problem. The C M G for the A G V example has well over a million possible markings, m a n y of which are forbidden states. An efficient representation of these forbidden states if preferable to listing them explicitly. Moreover, as we demonstrate in the following sections, an efficient specification leads to an efficient algorithm for determining the maximal set of admissible controls. In Holloway and Krogh (1990), the forbidden
Synthesis of feedback control logic markings were specified by sets of places which could not all be marked simultaneously. Although this specification method is in general more concise than an exhaustive list of forbidden markings, it still requires the specification of a collection of sets of places which can grow combinatorially with the problem size in some cases. For example, in the AGV system the condition that no two AGVs can occupy a shared zone at one time requires a list of sets of places characterizing all pair-wise combinations of AGVs present in each shared zone. For the CMG of Fig. 2, this requires four sets of two places for each shared zone, since only two AGVs pass through any given zone. Thus, a total of 16 sets of places are required to specify the entire set of forbidden markings for this example. If N AGVs passed through a zone, each in two directions, then the specification method used in Holloway and Krogh (1990) would require a list of 4 (N) pairs of places. In the present paper, the set of forbidden markings is specified by a collection of ordered pairs of the form (F, k) • 2 ~*x N +, where N + is the set of positive integers. An ordered pair (F, k), referred to as a set condition, defines a subset of forbidden markings, M(F.k), given by
645
conditions defined in Holloway and Krogh (1990). In the following section we demonstrate how these more generalized specifications also lead to a reduction in the on-line computations required for determining the maximal set of admissible controls for each marking in ~ . 4. MAXIMALLYPERMISSIVE FEEDBACK POLICIES One ramification of the hierarchical and distributed nature of the normal factory control architecture is that subsystems are semiautonomous; that is, there are subsystem state transitions governed by the local controllers which cannot be directly influenced by supervisory control inputs. Not all events in the system will be controllable from a supervisor. For example, in the AGV system the supervisor can detain the AGVs only at the workstations; once an AGV begins its route to another workstation it is entirely under local control. In this case, attempting to avoid just the forbidden states will often not be sufficient to prevent a forbidden condition from occurring. Given a set of forbidden states .4/~, the set of admissible states, denoted by Ms, is defined as the set of markings from which a marking in JRs cannot be reached uncontrollably (Holloway and Krogh, 1990). Formally, M~ is defined as:
M(F,k):={m•.~t ~ m(p)>k}. peF
In words, a set condition (F, k) identifies the markings for which there are more than k tokens in the set of places F. Letting IFI denote the cardinality of the set F, we assume through the remainder of the paper that IFI > k for any set condition (F, k), since M(r.k) = O if IFI --
In the terminology of Ramadge and Wonham (1987b), the set of admissible states for a given forbidden class is equivalent to the maximal controlled-invariant set. Given a set of forbidden states, the forbidden state control problem is to find a feedback policy which guarantees there is a controlled-invariant set that does not contain a forbidden state. The set of admissible states is the maximal set of states for which the forbidden state control problem can be solved. Given a set of forbidden states ~t~, we develop a feedback policy Us such that: 1. For any m • M~, ~ ( U ~ , m) n ~ = O; and 2. If U' is a feedback policy which is more permissive than U~, then there exists some m' • M~ such that ~o~(U', m) fq ~ , :/:0. The first condition implies that M~ is controlled-invariant under U~, which means U~ solves the forbidden state problem for the largest possible set of states for which it can be solved. The second condition implies that for each marking m • M~, the set of controls U~(m) is the largest set of admissible controls, that is the largest set of controls which will guarantee the next state is admissible. The existence of a unique maximal set of admissible controls for each state follows directly from the partial
646
B.H.
KROGH and L. E. HOLLOWAY
ordering on the controls and the associated sets of reachable markings defined in Section 2 (Krogh, 1987). The concept of the maximally permissive policy is illustrated by the A G V example in Fig. 2 as follows. Suppose the controller receives signals from the AGVs indicating their current locations corresponding to the marked places in the A G V cycles of the C M G model. For the marking of the CMG in Fig. 2, the maximal set of admissible controls can be characterized by the two maximally permissive controls which will ensure that no two AGVs will be in the same zone simultaneously, namely: (1) u ( c ) = 0 for c6{c4, c7} and u ( c ) = l otherwise; and (2) u(c) = 0 for c • {c6, c7} and u(c) = 1 otherwise. In both cases, control place c7 must be disabled to ensure A G V E will not collide with the already released A G V F in zone 4. Since A G V E is not released, zone 3 is available for A G V B. The potential for a collision in zone 2, however, requires that A G V B and AGV D cannot be released simultaneously. Hence, these two maximally permissive controls represent the choice of either allowing A G V B or A G V D to pass through zone 2. The feedback policy computations for a set of forbidden markings M~ specified by a collection of set conditions ~ take advantage of the structure of the CMG model to avoid the evaluation of the complete reachability graph for the Petri net. There are two sets of computations: off-line computations that are performed once to identify particular sets of paths and controls in the CMG; and on-line computations that monitor the markings of the paths generated off-line, and generate the characterization of the set of admissible controls for the current marking. In this section we describe these computations. The algorithm is illustrated for the A G V example in Section 5 and supporting theoretical results are presented in Section 6.
4.1. Off-line computations The off-line computations identify particular paths of places in the CMG model of the manufacturing system to be monitored by the on-line controller. The following definitions and notation are used to describe these computations. Given a controlled marked graph ~3= {~, if-, ~, q¢, ~3, m0} a path is defined as a sequence of places along a directed path in the Petri net graph which does not contain any node more than once. The input transition to the first place in a path ~r will be denoted by t~ and the set of control places connected to t~ will be denoted by C~. Given two paths ~r~, Jr"2 in ~3, the notation st1 ~ .7l(2 indicates that path ~r2 contains
path ~rl, that is, all of the places in Zrl are also in :r2. Given a path :r and a marking m • JR, the weight of path z~ under marking m, denoted by w~(m), is defined as the sum of tokens in the places in az under the marking m. Given a transition t • 3- and place p • ~, II(t, p) denotes the set of paths emanating from transition t and terminating with place p. Note that H(t, p) will be empty if and only if t and p are not in the same strongly connected component of the CMG. (All places and transitions are in strongly connected components since the CMG is covered by directed cycles.) We then define the set of paths IIc(t,p)~_ H(t, p) as rIc(t, p ) = (~z • H(t, p ) I if t' • T is in ~r, then t' ~ T~}, where a transition is said to be in a path Jr if it is connected to two places in :r. In words, II~(t, p ) is the set of paths from transition t to place p that do not contain controlled transitions. Given an initial marking mo • d~, we let H*(t, p, mo) denote the set of paths in He(t, p ) with minimal weight under the marking m0; that is, H*(t, p, too) = {~r • H~(t, p) [ w~(mo) <- w~,(mo) for all Jr' • FI*(t, p)}. For each place p • P , we associate a set of controlled transitions, T~(p), defined by
Tc(p) = {t • T~ I n~(/, p ) 4: O}. Hence, T~(p) is the set of controlled transitions from which there exists at least one path to the place p that does contain another controlled transition. With the above definitions and notation, the off-line computations for a given C M G and a collection ~ of set conditions are summarized as follows: 1. Let ~ denote the set of all places in the set conditions in ~. 2. For each p • ~ and each t • J-~, compute the sets He(t, p ) and H*(t, p, m0). 3. For each p • ~ , compute the set T~(p). 4. For each t•Tc(p), choose one path in H * ( t , p , m0) to define a set of paths I I * ( p ) (with rI*(p)= o if T~(p) = 0). 5. For each path er • Fl*(p), let C~ c qg be the set of control places connected to transition t~. The off-line computations generate a set of paths H * ( p ) for each place p appearing in some set condition (F, k ) • ~, along with the sets of control input places C~ associated with the transitions t~ at the beginnings of each of the paths in H*(p). We note that the sets of minimal
Synthesis of feedback control logic weight paths in step 2 above can be computed using Floyd's algorithm for computing the matrix of shortest paths in a graph (Floyd, 1962). 4.2. On-line computations The on-line operations consist of evaluating a set of predicates which are defined in terms of the weights of the paths generated by the off-line computations. These predicates are defined as follows. Given a path ~z and a marking m • M: A ~ ( m ) : = {~
if w~(m) > 0 otherwise
and A,~(m) :=
{10 if t,~ is state enabled under m otherwise.
Given a place p • P ~ for a collection of set conditions f f and the set of paths H*(p) from the off-line computations, i Ap(m) :=
if II*(p) = •, or A~(m) = 1 for all Jr • H*(p) otherwise
and Ap(m) :=
1 if Ap(m) = 0 and A~(m) v A,~(m) -- 1 for all :r • II*(p) 0 otherwise.
In words, Ap(m) is true when place p can become marked uncontrollably, that is, no control action can keep p from eventually being marked. Ap(m) is true when the marking is a so-called boundary marking for the place p, which means that Ap(m) can become true on the next transition if some transitions in T~(p) are not control-disabled. Given these definitions, the on-line control algorithm consists of evaluating the following sets of places for each set of places F in the collection of set conditions ~:
Le(m): = {p • F ] Ap(m) = 1} and BF(m):= {p • F ] Ap(m) = 1}. In words, Le(m ) is the set of places in F which can become marked uncontrollably; and BF(m) is the set of places in F which can become uncontrollably marked following the next state transition unless one of a particular set of controlled transitions is disabled. In the terminology of Holloway and Krogh (1990), BF(m) is the set of places for which m is a boundary
marking. Once the above sets have been identified for a marking m • ut/, the maximal set of admissible controls U~,(m) can be completely characterized as follows. Given a control u • ~ , for each set of places F in a set condition in ,~ define the set of
647
places
De(m, u ) : = {p c Be(m) I 3~r • I-l*(p) such that A~(m) = 1 and u(c) = 0 for some c • C,~}. DF(m, u) is the set of places in Be(m) which cannot become marked uncontrollably following the next transition if the control u is applied since u disables at least one controlled transition associated with a boundary-marked path leading to place p. Under a mild technical assumption on the set conditions in ~, we show in Section 6 that the maximal set of admissible controls Us is given by:
Us(m) = {u • ~ [ V(F, k) • ~, IOe(m, u)l - ILr(m)l + IBF(m)I -- k ). Thus, the maximally permissive feedback policy is completely determined by the paths 1-l*(p) for each p • P~ with the corresponding sets of controls C,~ and predicates A~(m), and the sets LF(m) and Be(m) for each F in a set condition in ~. Given this information, it is straight forward to test whether a control u is admissible using the definition of De(m, u) given above for each F. We note that the set of admissible controls U~,(m) as defined above is nonempty if and only if the marking m is an admissible state. This follows immediately from the fact that m is admissible if and only if ILe(m)l -< k for each set condition (F, k) • ~. Given a collection of set conditions ,~, and the results from the off-line computations (i.e. the set of paths H*(p) for each place p • ~ , and the sets of control input places C,~ associated with each of the paths in H*(p)), the on-line computations for a given marking m • ~/~ are summarized as follows: 1. For each p • ~ : (a) Evaluate the predicates A,~(m) and A,~(m) for each ~r • H*(p) (b) Evaluate the predicates Ap(m) and Ap(m). 2. For each (F, k) • ~, evaluate the sets LF(m) and Br(m). 3. If I L F ( m ) l > k for any ( F , k ) • ~ , then m ~MF and no control exists that will guarantee a forbidden state will not be reached. The results of these computations, namely, the predicates A~(m) and the sets LF(m) and Be(m), along with the results of the off-line computations, are passed to the algorithm that selects the particular control to be applied for the current state m. The control selection algorithm can evaluate whether a candidate control u • q/ is admissible with respect to the
648
B.H.
KROGH and L. E. HOLLOWAY
forbidden state specifications using the definitions of De(m, u) and U~(m) given above. The inherent bit-level parallelism of digital computers can be exploited to perform the on-line computations very quickly. If the places in the CMG model of the manufacturing system are indexed, the current state of the system can be represented by a simple binary vector. Similarly, each path ar ~ H * ( p ) , for each p • ~ , can be represented as a binary vector, with bit values of one for each p • :r. The predicate A,.(m) can then be evaluated by performing a bit-level Boolean A N D of the path vector and the state vector. A nonzero evaluation means the path is marked and so A , , ( m ) - - 1 . Similar bit-level Boolean operations can be used to evaluate the predicates A,~(m) and the sets Lr(m) and BF(m ). Consequently, the time required for the on-line computations is negligible with respect to the usual time-scales involved in the supervisory control of discrete manufacturing systems. 5. APPLICATION TO THE AGV EXAMPLE
To illustrate the off-line and on-line computations, we reconsider the A G V example of Fig. 2. Recall from Section 4 that there are four forbidden set conditions, each corresponding to a zone in which A G V s may potentially collide. These conditions are (El, kl) =
({PAz, PAs, PB2,PB,3}, 1),
(F2, kz) = ({Pro, Pn,,, Po~, Po,}, 1), (F3, k3) = ({p,~,
PB,, Pe:, Pc,}, 1),
(/74, k4) = ({PE4,
PE7, PF2,PEr}, 1).
and $; is then the set containing each (F, k) pair above. The off-line computations begin by determining the set ~ , which is the union of all places in the F conditions specified above. Given an initial marking m0, we compute for each p • ~ the sets Hc(t, p) and l-Ic*(t,p, m0) to determine the sets H * ( p ) , T~(p), and C,,, Vat • II*(p). For example, for the place PB,3 there exists only one path ar'=(pa,pB,oPBupn,:pB,) in the union of all H¢(t, pB,) and consequently for any initial marking too. Thus IIc(ta, PB,) = 1-I*(t4, PB,, m0) = n*(p~,3) = {zr'} for any m0, and H~(t, PB,) = FI*(t, pn,~, rn0) = Q~ for all t ve t4. From this, we find T~(pB,)={t4}, and C~, = {c~}. To illustrate the on-line operations, we use the marking m illustrated in Fig. 2, and briefly examine three different situations using three of the forbidden set conditions (i.e. three shared zones). First we consider (F1, kl) for shared zone
1. For /71 under m the only nonzero place predicate is ApB,~(m) = 1. Consequently, LFl(m) = 0 and By, = {PB~3}. Since JLF,(m)I + IBv~(m)l- kl = 0, then no places in BF(m) must be prevented from becoming marked, and so no controls need to be disabled to prevent the forbidden condition F1 from occurring. For shared zone 2, the only nonzero place predicates are ApDs(m) = Ap,,(m) = 1. Thus, LF2(m) =Q, BF2(m)= {Pos, PB,,}" We must disable from being marked a total of ILv2(m)t + IBF2(m)I -- k2 = 1 places to prevent the forbidden condition F2 from occurring. Note that any control u such that u(c4)--0 (for PBI,) or u(c6) = 0 (for PD,) will result in a IDF2(m,u)l --> 1 and be satisfactory. This represents the choice of preventing either A G V B or A G V D from approaching the zone. Finally, we examine shared zone 4. The only nonzero place predicates are Am~(m ) = ApE4(m)= 1. We find that LF, = {PF~}, BF, = {Pc4}, and tLF,(m)I -- tnF~(m)l -- k4 = 1. Thus, we must choose a control u such that some place in BF,(m) will not become marked, i.e. such that DF,(m, u) -- 1. Since BF~(m) contains only place PE~ and the only control for any path for the place is c7, then any control u which will prevent the occurrence of the forbidden condition (F4, 1) must have U(CT)= 0. Note that to determine whether a control is satisfactory only requires simple on-line determination of some predicates and sets. These operations permit the testing of a control to see if it is satisfactory for preventing forbidden conditions from occurring, without ever determining the connectivity of the state space. In the A G V example, as well most other nontrivial systems, the state-space can be very large. The above example has well over a million states, and computing and storing the connectivity between each state under all possible controls would be computationally prohibitive. Even the specification of the forbidden states would be nontrivial in the state-space. In contrast, modeling in the CtlPN framework allows an intuitive specification of the forbidden conditions and leads to an computationally efficient on-line algorithm for evaluating the set of admissible controls. 6. THEORETICAL RESULTS
In this section we demonstrate that the expression given for U~ in Section 4 characterizes the maximal set of admissible controls for any admissible marking m • M~, provided the collection of set conditions f f satisfies the following assumption which is similar to the precedence path input condition (ppic) defined
Synthesis of feedback control logic for set conditions in Holloway and Krogh (1990): Specification assumption (SA). Given ~ 2v x Z +, if p, p' • F, p 4:p', for any (F, k) • ~, then for any zr•Flc(t,p) for t•T~(p) or (p, t) • ~, (i) p' ~ zr and (ii) p ' is not an input state place to t~. This assumption states that no place in a set condition is an input to, or contained in, one of the controlled paths leading to another place in the same set condition. In the following we assume the collection of forbidden set specifications satisfies the SA. To prove U~ is the desired maximally permissive feedback policy for a forbidden state specification ~, we construct an equivalent forbidden state specification ~* to which the algorithm from Holloway and Krogh (1990) can be applied. We then show that for any admissible state m, U~(m) is in fact equal to the set of controls which are less than or equal to the maximally permissive controls generated by the algorithm in Holloway and Krogh (1990) for the set condition in ~*. We begin by defining the forbidden state specification ~* for a given collection of set conditions ~. For each (F, k ) • ~, let ~F,~) denote the collection of ( IFI ~ subsets of F of
\k+l/
cardinality k + 1. (Recall that IFI > k.). Define ~:* as the union of the collections of sets ~ ' , k ) over all (F, k) • ~ and let M~. denote the set of forbidden markings specified by the sets in ~* as defined in Holloway and Krogh (1990); i.e. ~* is a so-called class condition that defines the set of forbidden markings given by M ~ . : = {m • d/[ 3F* • ~* such that m(p) = 1 for all p • F*}. It is easily verified that M~. = M~, the set of forbidden markings specified by the collection of (generalized) set conditions ~. Therefore, the maximal set of admissible controls for a given admissible marking is the same for both specifications. It can also be easily shown that the class condition ~* as defined above satisfies the so-called ppic condition in Holloway and Krogh (1990) if and only if the collection of set conditions ~: satisfies the SA. We claim that the predicates Ap(m) and Av(m ) defined in the present paper are equivalent to the predicates with the same names defined in Holloway and Krogh (1990). In that paper, these predicates were defined in terms of the set of so-called precedence paths, denoted by Hp, for a given place p • ~ . In terms of the notation of the present paper, Hp is the set of all paths from some (controlled) transition in Tc(p)
649
to the place p which do not contain another controlled transition. In the present paper, the predicates Ap(m) and Ap(m) are defined in terms of only a single minimal weight path under the initial marking from each transition in T~(p). Thus, in the present paper we evaluate the predicates Ap(m) and Ap(m) using only a subset rI*(p) ~ lip of the paths used in Holloway and Krogh (1990). The fact that it is sufficient to monitor only paths which are minimal weight paths under the initial marking follows from the following lemma.
Lemma 1. Given a CMG ~ = {~, 3-, ~, ~ , m0} and the set of paths rI(t,p) from a transition t • ff and p • ~, if .Tt'l, lr 2 • H(t, p), then w~,(m) - w,~:(m)=--w~,(mo) - w,:(mo) for all m • ~(U ....
mo).
Proof. We assume rI(t, p ) ~ 0, since the lemma is trivially true when Fl(t, p ) = Q. Murata et al. (1982) showed that the total number of tokens in a closed-edge sequence for a marked graph is invariant over the set of reachable markings, where a closed-edge sequence is any directed sequence of nodes (places and transitions) beginning and terminating at the same node. Given place p and transition t, let t' be the output transition from place p, let p ' be any input place to transition t, and choose : r ' • rI(t',p'). Such a zr' exists since t' and p' are necessarily in the same strongly connected component of ~. Then for any paths :rl, zr2 • rI(t, p), the sequences of places zrl~r' and zr2zr' each constitute a sequence of places along a closed-edge sequence in G. Therefore, by the result of Murata et al. (1982): (i) w~,,,,(m)=w~,~,(mo) and (ii) w~,~,(m)~ w~,(mo) for all m • ~=(u .... m0), where w~,~,(m):=w~,(m) + w~,(m), i = 1, 2. The lemma follows by subtracting (ii) from (i) above. [] This lemma implies that for any transition t • 3 and place p • ~, if w~,(mo) >- w~2(mo) for two paths zrl, : r 2 • H ( t , p ) , then w~,(m)>w~2(m) for any reachable marking m. Thus, it is sufficient to monitor only the paths in H*(p) to evaluate the predicates Ap(m) and Ap(m). Given this observation, we have the following result.
Theorem 1. Given a CMG ~3= {~, 3-, ~, ~ , m0} and a forbidden marking specification ~ 2e× Z ÷ satisfying SA, the U~ as defined above in Section 4 is the maximally permissive feedback policy for the set of forbidden states M~.
650
B.H.
KROGH and L. E. HOLLOWAY
Proof. Given the collection of set conditions ,~, let 0%* be the equivalent class condition specification for the algorithm in Holloway and Krogh (1990), as defined in the beginning of this section. Given an admissible state m • ~¢~, let U'~.(m) denote the (nonempty) set of controls satisfying Theorem 7 in Holloway and Krogh (1990); that is, U'~.(m) is the set of maximally permissive controls for the state m. Thus, letting U~.(m) denote the maximal set of admissible controls at state m, we have U~,(m) = {u e oR I u <-u* for some u* e U).(m)}. The statement of the theorem is therefore equivalent to showing that Us(m) =- U~.(m) for any admissible state m. To show Us(m)~_ U~.(rn), it is sufficient to show that any u • Us(m) satisfies condition (1) of Theorem 7 of Holloway and Krogh (1990). Suppose this is not the case for some u • U~(m). This would imply there exists some F* • ~* such that: (i) Ap(m) v Ap(m)= 1 for all p • F*; (ii) A , ( m ) = 0 for at least one p eF*; and (iii) Vp • F* such that A?(m) = 1, if ~ e II*(p) and A~(m) = 1, then u(c) = 1 for all c • C~. Now, from the definition of ~*, F * e O~F.k) for some (F, k) • ~. Therefore, from (i) above it follows that F* = Lv(m) U BF(m). Moreover, (ii) above implies F* N By(m) 4=Q, and (iii) above implies u(c)=-1 for all c e C~, • H*(p), p e F* N Bv(m). These observations imply that IDF(m, u ) l - tBF(m) -- F*I. But IBF(m) -- F*I -< IBp(m) tO Lv(m ) -- F*I = IBF(m)I + ILF(rn)l- (k + 1), which implies that IOF(m, U)I < InF(m)l + IZ~-(m)l - k. This final inequality contradicts the assumption u e U~(m). Therefore, U~(m) ~_ U~,.(m). We show next that the maximally permissive controls in U'~.(m) are in U~(m). Suppose this is not the case; i.e. suppose there exists a control u*e U'~.(m) [that is, a control that satisfies Theorem 7 of Holloway and Krogh (1990)], but u*qE Us(m). This would imply that there exists some (F, k) • ~ such that IOF(m, u)l < IBF(m)I + ILF(m)I - k. Note that this inequality implies BF(m)-DF(m, U) 4: Q, since m e MF implies ILF(m)I --<
k. Now, define the set of places B' as B' = Lr(m) tO Be(m) -- De(m, u). We note that IB'I -> k + 1 since In'l = IZF(m)l + I n F ( m ) l - IOF(m)l > k . Choose any F* c B' such that IF*I = k + 1 and BF(m) f3 F* 4: f~. Then F* e ~:(*F,k). From the construction of F* we have: (i) Ap(m) v Ap(m) = 1 for all p e F * ; (ii) A p ( m ) = 0 for at least one p e F * ; and (iii) Vp e F * such that Ap(m) = 1, if :r e H*(p) and A~(m) = 1, then u*(c)--1 for all c eC~. But this means the control u* violates condition (1) of Theorem 7 in Holloway and Krogh (1990), which contradicts the assumption u* e U'~.(m). Therefore, U'~.(m) ~ Us(m). Finally, we note that it follows immediately from the definition of Us(m) that if u e U~(m) and u'<-u, then u ' e Us(m). Hence we have that U~.(m) ~ U~(m) since U~(m) contains the maximal elements of U~.(m). []
7. C O N C L U S I O N S
In this paper we present the formulation and solution of forbidden state problems for discrete manufacturing systems modeled by cyclic controlled marked graphs (CMGs). Due to the distributed representation of the system state in terms of the net marking, CMGs provide a compact, intuitive modeling framework for describing the state transition dynamics of the manufacturing system as well as the forbidden state specifications. More importantly, the graphical representation of the system allows us to obtain an efficient method for synthesizing state feedback control logic which solves the forbidden state problem. Our empirical computational results effectively demonstrate that our algorithm is very efficient relative to the exhaustive search methods proposed previously. The results presented in this paper are an initial step towards a comprehensive set of tools for synthesizing manufacturing control systems. Although many manufacturing control problems can be solved by intuition or with applicationspecific algorithms, the CtlPN model provides a formal framework for computer-based analysis and control synthesis. In contrast to heuristic solutions which must be tested and debugged, an algorithmic approach to control logic synthesis guarantees correctness and completeness of the solution. The solution of the maximally permissive state feedback control problem characterizes the entire set of necessary and sufficient controls for which the forbidden states will be avoided. The
Synthesis of feedback control logic nonuniqueness of the maximally permissive controls indicates additional design freedom which can be exploited to satisfy other performance objectives. On-line or off-line analysis could be applied to select a specific control input to achieve the desired system response. A major advantage of the control synthesis procedure is that it is based on the model of the open-loop system dynamics and a specification of the desired closed-loop behavior. Thus, new controls can be computed quickly and automatically when the system is modified or the control objectives are changed. There are directions for future research. Conditions for liveness of the closed-loop system under maximally-permissive control were obtained recently (Holloway and Krogh, 1989). We are currently investigating the complexity of the off-line and on-line computations. To broaden the applicability of the algorithm presented in this paper, methods need to be developed for translating classes of operational specifications for manufacturing systems into forbidden state problems. We are also interested in extending the CMG framework to address problems involving branching in the operation sequences, such as error recovery and alternative control flows. This research is supported in part by North American Philips Corporation and by the U.S. National Science Foundation under grant number DMC-8451493.
651
REFERENCES Dubois, D. and K. Stecke (1983). Using Petri nets to represent production processes. Proc. 1983 IEEE Conf. on Decision and Control, pp. 1062-1067. Floyd, R. W. (1962). Algorithm 97; shortest path. Comm. ACM, 5, 345. Hillion, H. P. and J-M. Proth (1989). Performance evaluation of job-shop systems using timed event-graphs. IEEE Trans. Aut. Control, AC-34, 3-9. Holloway, L. E. and B. H. Krogh (1989). On closed-loop liveness of discrete event systems under maximally permissive control. 1989 IEEE Conf. on Decision and Control, Tampa, Florida. Holloway, L. E. and B. H. Krogh (1990). Synthesis of feedback control logic for a class of controlled Petri Nets systems. IEEE Trans. Aut. Control, AC-35, 514-523. Ichikawa, A. and K. Hiraishi (1988). Analysis and control of discrete event systems represented by Petri nets. Discrete Event Systems: Models and Applications, Springer, New York. Krogh, B. H. (1987). Controlled Petri nets and maximally permissive feedback logic. Proc. 25th Annual Allerton Conf., University of Illinois, Urbana. Murata, T., V. B. Le and D. J. Leu (1982). A method for realizing the synchronic distance matrix as a marked graph. Proc. 1982 IEEE Int. Syrup. on Circuits and Systems. Rome, pp. 609-611. Perkins, J. R. and P. R. Kumar (1989). Stable, distributed, real-time scheduling of flexible manufacturing/assembly/ disassembly systems. IEEE Trans. Aut. Control, AC-34, 139-148. Ramadge, P. J. and W. "M. Wonham (1987a) Supervisory control of a class of discrete-event processes. S l A M J. Control Optimiz. 25, 206-230. Ramadge, P. J. and W. M. Wonham (1987b). Modular feedback logic for discrete-event systems. S l A M J. Control Optimiz. 25, 1202-1218. Reisig, W. (1982). Petri Nets. Monographs on Theoretical Computer Science. Springer, New York.
Automatica, Vol. 27, No. 4, pp. 641-651. 1991 Printed in Great Britain.
Synthesis of Feedback Control Logic for Discrete Manufacturing Systems* B R U C E H. K R O G H t ¢ and L A W R E N C E E. H O L L O W A Y t
Using Petri nets with auxiliary inputs to model the open-loop dynamics of discrete manufacturing processes, feedback control logic can be synthesized to guarantee the system remains in the set of admissible operating states. Key Words--Computer control; control system synthesis; discrete systems; manufacturing processes; supervisory control; synthesis methods.
AImlraet--This paper concerns the supervisory coordination and control of concurrent activity cycles in automated manufacturing facilities. In contrast to commonly used simulation models which integrate the control policy with the system model, the state transition logic for the manufacturing equipment is represented by a class of controlled Petri nets (CtIPN) with external inputs to be determined by the control synthesis algorithm. We formulate the forbidden state control problem in the CtIPN context and present an algorithm for generating maximally permissive controls which guarantee the system will avoid the forbidden states while permitting a maximal amount of flexibility in the system operation. The problem formulation and control synthesis algorithm is illustrated for an example of AGV co-ordination, and several classes of manufacturing control problems which can be addressed within this framework are identified.
objective of the research described in this paper is to develop tools for automating the control synthesis process so that supervisory policies can be generated automatically to satisfy specifications for the desired (closed-loop) system behavior. In this paper we present a generalization of the algorithm in Holloway and Krogh (1990) to synthesize maximally permissive state feedback policies to satisfy forbidden state specifications in discrete manufacturing systems. Discrete manufacturing systems can be modeled as a collection of interacting, asynchronous, concurrent discrete event systems. Following an approach similar to Ramadge and W o n h a m (1987a), our discrete event models have external control inputs which can enable and disable state transitions in the system. The objective is to synthesize the feedback logic to generate the appropriate control inputs based on real-time feedback data from the system sensors. We model the state-transition dynamics in a manufacturing system as a controlled Petri net (CtIPN),§ which is an extension of standard Petri nets with external control inputs as additional enabling conditions on transitions (Krogh, 1987; Ichikawa and Hiraishi, 1988). This modeling formalism allows us to represent the local behavior of subsystems, and the uncontrolled interactions between subsystems, independent of a particular supervisory control policy. We consider manufacturing control problems in which the control objective can be specified in terms of forbidden states, such as undesirable operating conditions for which the production goals cannot be satisfied, or catastrophic situations in which data or equipment can be damaged. Supervisory control and forbidden
1. INTRODUCTION MODERN AUTOMATEDmanufacturing facilities are composed of multiple locally-controlled subsystems, such as machines, transport systems, and storage areas, which must be coordinated by a supervisory controller to achieve the production goals. While many modeling and simulation tools have been developed for evaluating the performance of the system under given control policies, the actual synthesis of the supervisory control logic is typically by trial and error, relying on the experience and insight of the engineers designing the system. The long-term *Received 11 February 1990; revised 29 July 1990; received in final form 20 October 1990. The original version of this paper was presented at the IFAC Workshop on Decisional Structures in Automated Manufacturing which was held in Genova, Italy during September, 1989. The published proceedings of this IFAC Meeting may be ordered from: Pergamon Press plc, Headington Hill Hall, Oxford OX3 0BW, U.K. This paper was recommended for publication in revised form by Editor A. P. Sage. t Laboratory for Automated Systems and Information Processing, Department of Electrical and Computer Engineering, Carnegie Mellon University, Pittsburgh, PA 15213, U.S.A. ~tAuthor to whom all correspondence should be addressed.
§ Controlled Petri nets were first referred to as CPNs in Krogh (1987). We use CtIPN in this paper to avoid confusion with the standard abbreviation for Colored Petri Nets. 641
642
B.H.
KROGH and L. E. HOLLOWAY
state problems occur at all levels of the manufacturing system control hierarchy, ranging from the low-level interaction between equipment controllers and devices, through the coordination of workcells, to the factory-wide coordination of workstation controllers. The control synthesis procedure developed in this paper can be applied at any of these levels. Forbidden state problems for discrete event systems were originally considered by Ramadge and Wonham (1987b) in the context of finite state machines. The objective is to synthesize a feedback policy which guarantees the system will not enter a forbidden state. Previously proposed methods for solving the forbidden state problem involve essentially an exhaustive search of the entire state space for the system. While this approach has been used to solve simple examples, it is computationally prohibitive for nontrivial applications. The solution method presented in the following sections takes advantage of the graphical PN representation of the system to avoid an exhaustive analysis of the state space. The state feedback policy presented in this paper generalizes the state feedback policy developed in Holloway and Krogh (1990) in two ways. First, the forbidden states are specified with a more general form of set conditions which leads to a significant reduction in the on-line computations. The second generalization pertains to the nature of the feedback policy itself. The feedback policy in Holloway and Krogh (1990) concerned only the set of maximally permissive controls. Any control that enables more CtlPN transitions than a maximally permissive control would allow the system to eventually enter a forbidden state. The feedback policy developed in the present paper determines a maximal set of admissible controls for each state. This set will include the maximally permissive controls as its maximal elements. Rather than determine the maximally permissive controls, the feedback policy identifies the complete set of controls which will guarantee the system will not enter a forbidden state. Thus, we propose a nondeterministic feedback policy that determines constraints on the control decision which must be satisfied regardless of the other operating objectives. The specific control to be applied to the system can then be selected from this set to satisfy criteria related to system scheduling requirements or other performance specifications.
which each place has exactly one input arc and one output arc. CMG models capture the concurrent sequential flow of operations for multiple subsystems in a manufacturing facility. In many cases, a CMG is sufficient for modeling the normal operation of a discrete manufacturing system. Equipment and material often cycle through fixed sequences of states which are coordinated and synchronized by the supervisory controller. We note that much of the literature on models for performance analysis restricts attention to this type of concurrent sequential behavior (Dubois and Stecke, 1983; Hillion and Proth, 1989; Perkins and Kumar, 1989). Extensions of the CMG formulation to applications involving nonsequential flow, such as re-work and error recovery cycles, is an area of current research. Formally, a CtlPN is a five-tuple q3= {~, 3-, ~, ~, ~ , m0} where ~ is a finite set of state places, 3- is a finite set of transitions, c ( ~ x 3-) U (3- × ~) is a set of directed arcs connecting state places and transitions, c~ is a finite set of control places, ~ c (c~ x 3-) is a set of directed arcs associating control places with transitions, and m0: ~--~ 2( is the initial marking of the CtlPN, where N is the set of non-negative integers. A cyclic controlled marked graph (CMG) is a CtlPN meeting two criteria (Reisig, 1982): (1) for every p e ~, there exists only one t e 3- such that (p, t ) • ~ and there exists only one t • 3such that (t, p) • ~ (i.e. there exists a unique arc into and a unique arc out of every place in ~), and (2) the net must be covered by cyclest (i.e. each place p • ~ must be contained in some cycle). The marking of a CMG indicates the distribution of tokens in the state places. We consider initial markings for which: (1) every cycle in ~d contains at least one marked place; and (2) every place p • ~ is contained within some cycle which has exactly one marked place. The set of all such markings is denoted by M. We note that the markings in M are binary and the set of all reachable markings (as defined below) starting from any initial marking in M is contained in M. This is a consequence of being the set of all live and safe markings for the CMG (Reisig, 1982). Figure 1 illustrates the graphical representation of a CMG in which circles represent state places, squares represent control places, and bars represent transitions. Tokens in the
2. CONTROLLED MARKED GRAPHS We consider systems modeled by controlled marked graphs (CMGs), the class of CtlPNs in
t A cycle in a CtlPN is a directed path beginning and ending at the same node (place or transition) with all other nodes in the path occurring only once.
Synthesis of feedback control logic
©
tl
®
I
O
-I
FlG. 1. A controlled marked graph (CMG).
CMG are represented by dots in the places. In manufacturing applications, each cycle in the CMG represents a cyclic activity in the manufacturing process, and the single token per cycle corresponds to the current state of a subsystem activity cycle. A control u : ~---~ {0, 1} assigns a binary token count to each control place. The collection of all controls will be denoted by 0//. A control ul is said to be more permissive than a control u2 (denoted by Ul >t/2), if UI(C)~U2(C ) for all c • c¢ and if ua(c) > u2(c) for at least one c • % In Fig. 1, a control Ul such that u~(c~) = u1(c3) = u1(c4) = 1 and u1(c2) = 0 is more permissive than a control u2 where U2(Cl)=U2(C4)=I and u2(c2) = u2(c3) = 0 . The control u .... where Uone(C) ----1 for all c • q¢, is more permissive than any other control; and all controls which are not identically zero are more permissive than the control u ..... where u .... (c) = 0 for all c • q¢. A state transition occurs (i.e. the C M G marking changes) when an enabled set of transitions in the C M G fires, where these terms are defined as follows. A set of transitions T = 3is state enabled under a marking m if all state places with directed arcs into transitions in T are nonempty. Similarly, T is control enabled if all control places with directed arcs into transitions in T are nonempty. A set of transitions is enabled if it is both state enabled and control enabled. When an enabled set of transitions T fires, a token is removed from each state place which has an arc to any transition t • T and a token is added to any state place which has an arc from any transition t • T. We note that since transition firing does not remove tokens from control places, conflict (in the Petri net sense) is not introduced when a control place is connected to more than one transition. Multiple transitions connected to a single control place can fire simultaneously if they are control and state enabled. For example, consider the C M G of Fig. 1 under the control u where u(c O=u(c2)-u(c4) = 1 and u ( c 3 ) = 0. Transitions t2 and t 3 are enabled, but transition tl is not enabled since the control place c3 contains a zero token count.
643
Thus, either or both of the transitions t2 and t 3 can fire under the marking and control shown in Fig. 1. In this paper we are interested in (nondeterministic) state feedback policies of the form U:~t---~2 ~u. A feedback policy maps each marking m • At into a set of controls U(m) ~ ~. A feedback policy /-/1 is more permissive than a feedback policy U2 (denoted by U~ >/-/2) if for all markings m • AI, Ul(m) ~_ U2(m) and Ul(m') U2(m') (strict containment) for some m ' • ~ . A marking m ' is reachable from an initial marking m under a feedback policy U if there exist a sequence of markings m0 . . . . . mN with m 0 = m and m s = m', a sequence of controls uo•U(mo),...,uN_l•U(mN_O, and a sequence of sets of transitions To, . . •, TN-1, such that T~ is enabled under marking mj and control uj for j = 0 . . . . . N - 1, and firing the sequence of transition sets results in the sequence of markings. The set of reachable markings for a marking m under a control u (resp. feedback policy U) will be denoted as ~ ( u , m) [resp. ~ ( U , m)]. It is easily shown that if u~>u2 (resp. U1 > U2), then ~ o ( u l , M) _~ 3~(u2, m) [resp. ~ ( U I , M) _~ ~ ( U 2 , m)] (Krogh, 1987).
An example To illustrate the application of C M G models to manufacturing systems, we consider the example of coordinating multiple automated guided vehicles (AGVs) on a factory floor which was briefly described in Holloway and Krogh (1990). We consider the same example in this paper so that the advantages of the more generalized algorithm presented herein can be illustrated. The C M G in Fig. 2 models an automated material handling system consisting of five A G V s which transport material between pairs of stations. Each A G V can execute a cyclic route in the system where corridors (or zones) along the routes are represented by places in the CMG model. For example, A G V A moves between an input parts station and workstation 1, and A G V B moves between an input parts station and workstation 2. The A G V s synchronize with the stations through shared transitions. These synchronization points represent the loading or unloading of parts at the stations. A G V s wait at these locations for fixtures or parts to become available. The marking of the C M G model represents the current locations of the A G V s in their various cycles. For example, the token in the place Po, indicates A G V D is ready to depart from workstation 1. The different A G V paths cross each other in the shared zones, represented by the shaded regions in Fig. 2. To avoid
644
B.H.
KROGH and L. E. HOLLOWAY Workstation 1
FIG. 2. CMG model of a manufacturing system.
collisions, only one A G V should be in one of the shared zones at any time. A centralized controller (supervisor) is responsible for coordinating the departure of A G V s from the workstations. The supervisor can inhibit or enable the departure of an A G V from a workstation by changing the token load in a control place. For example, a control u with u(c4) = 0 will prevent the departure of A G V B from the input parts station; a control u with u(c4) = 1 will enable the departure of A G V B. The supervisor must guarantee that no two A G V s simultaneously occupy one of the shared zones. This operating constraint is specified as a forbidden state problem in the following section. Given a marking of the C M G , the maximally permissive feedback policy for this example will generate the maximal set of controls which guarantee no collisions will occur. The supervisor can then select from a m o n g these admissible controls to optimize the material transfer operations in the system.
3. FORBIDDEN STATE SPECIFICATIONS Forbidden state problems for manufacturing systems involve the synthesis of control policies which guarantee the system never enters a specified set of undesirable states. In discrete manufacturing systems, control specifications that can be formulated as forbidden state problems include: Resource conflicts. Attempts by more than one system component to access the same resource can be modeled in terms of mutual exclusion conditions on the individual c o m p o n e n t states. Deadlocks. Circular wait conditions for a set of resources correspond to forbidden states in which some processes will be delayed indefinitely. Sequencing specifications. Sequencing requirements, such as priority access to resources and operation precedence relations, can be expressed in terms of forbidden states in which the desired sequencing has been violated. Buffer overflow. Finite buffer capacities define a class of forbidden states in which the buffer capacities have been exceeded. Operation rules. Many constraints on the operation of manufacturing systems can be expressed as preconditions for the execution of various operations. These rules can be translated into equivalent specifications of the forbidden states in which the operational rules have been violated. The A G V example illustrates the representation of resource conflicts as forbidden states. Each shared zone represents a resource that can be used by only one A G V at a time. A forbidden state is any marking for which there is more than one A G V in any shared zone, corresponding to a potential collision between AGVs. Given a specification of these forbidden conditions for the A G V system, the supervisory control logic must assure the system never enters a forbidden state. The marking of a C M G model for a discrete state system provides a distributed representation of the system state. This state representation can be exploited to specify the set of forbidden states efficiently. The need for an efficient specification of the set of forbidden states is illustrated by the A G V problem. The C M G for the A G V example has well over a million possible markings, m a n y of which are forbidden states. An efficient representation of these forbidden states if preferable to listing them explicitly. Moreover, as we demonstrate in the following sections, an efficient specification leads to an efficient algorithm for determining the maximal set of admissible controls. In Holloway and Krogh (1990), the forbidden
Synthesis of feedback control logic markings were specified by sets of places which could not all be marked simultaneously. Although this specification method is in general more concise than an exhaustive list of forbidden markings, it still requires the specification of a collection of sets of places which can grow combinatorially with the problem size in some cases. For example, in the AGV system the condition that no two AGVs can occupy a shared zone at one time requires a list of sets of places characterizing all pair-wise combinations of AGVs present in each shared zone. For the CMG of Fig. 2, this requires four sets of two places for each shared zone, since only two AGVs pass through any given zone. Thus, a total of 16 sets of places are required to specify the entire set of forbidden markings for this example. If N AGVs passed through a zone, each in two directions, then the specification method used in Holloway and Krogh (1990) would require a list of 4 (N) pairs of places. In the present paper, the set of forbidden markings is specified by a collection of ordered pairs of the form (F, k) • 2 ~*x N +, where N + is the set of positive integers. An ordered pair (F, k), referred to as a set condition, defines a subset of forbidden markings, M(F.k), given by
645
conditions defined in Holloway and Krogh (1990). In the following section we demonstrate how these more generalized specifications also lead to a reduction in the on-line computations required for determining the maximal set of admissible controls for each marking in ~ . 4. MAXIMALLYPERMISSIVE FEEDBACK POLICIES One ramification of the hierarchical and distributed nature of the normal factory control architecture is that subsystems are semiautonomous; that is, there are subsystem state transitions governed by the local controllers which cannot be directly influenced by supervisory control inputs. Not all events in the system will be controllable from a supervisor. For example, in the AGV system the supervisor can detain the AGVs only at the workstations; once an AGV begins its route to another workstation it is entirely under local control. In this case, attempting to avoid just the forbidden states will often not be sufficient to prevent a forbidden condition from occurring. Given a set of forbidden states .4/~, the set of admissible states, denoted by Ms, is defined as the set of markings from which a marking in JRs cannot be reached uncontrollably (Holloway and Krogh, 1990). Formally, M~ is defined as:
M(F,k):={m•.~t ~ m(p)>k}. peF
In words, a set condition (F, k) identifies the markings for which there are more than k tokens in the set of places F. Letting IFI denote the cardinality of the set F, we assume through the remainder of the paper that IFI > k for any set condition (F, k), since M(r.k) = O if IFI --
In the terminology of Ramadge and Wonham (1987b), the set of admissible states for a given forbidden class is equivalent to the maximal controlled-invariant set. Given a set of forbidden states, the forbidden state control problem is to find a feedback policy which guarantees there is a controlled-invariant set that does not contain a forbidden state. The set of admissible states is the maximal set of states for which the forbidden state control problem can be solved. Given a set of forbidden states ~t~, we develop a feedback policy Us such that: 1. For any m • M~, ~ ( U ~ , m) n ~ = O; and 2. If U' is a feedback policy which is more permissive than U~, then there exists some m' • M~ such that ~o~(U', m) fq ~ , :/:0. The first condition implies that M~ is controlled-invariant under U~, which means U~ solves the forbidden state problem for the largest possible set of states for which it can be solved. The second condition implies that for each marking m • M~, the set of controls U~(m) is the largest set of admissible controls, that is the largest set of controls which will guarantee the next state is admissible. The existence of a unique maximal set of admissible controls for each state follows directly from the partial
646
B.H.
KROGH and L. E. HOLLOWAY
ordering on the controls and the associated sets of reachable markings defined in Section 2 (Krogh, 1987). The concept of the maximally permissive policy is illustrated by the A G V example in Fig. 2 as follows. Suppose the controller receives signals from the AGVs indicating their current locations corresponding to the marked places in the A G V cycles of the C M G model. For the marking of the CMG in Fig. 2, the maximal set of admissible controls can be characterized by the two maximally permissive controls which will ensure that no two AGVs will be in the same zone simultaneously, namely: (1) u ( c ) = 0 for c6{c4, c7} and u ( c ) = l otherwise; and (2) u(c) = 0 for c • {c6, c7} and u(c) = 1 otherwise. In both cases, control place c7 must be disabled to ensure A G V E will not collide with the already released A G V F in zone 4. Since A G V E is not released, zone 3 is available for A G V B. The potential for a collision in zone 2, however, requires that A G V B and AGV D cannot be released simultaneously. Hence, these two maximally permissive controls represent the choice of either allowing A G V B or A G V D to pass through zone 2. The feedback policy computations for a set of forbidden markings M~ specified by a collection of set conditions ~ take advantage of the structure of the CMG model to avoid the evaluation of the complete reachability graph for the Petri net. There are two sets of computations: off-line computations that are performed once to identify particular sets of paths and controls in the CMG; and on-line computations that monitor the markings of the paths generated off-line, and generate the characterization of the set of admissible controls for the current marking. In this section we describe these computations. The algorithm is illustrated for the A G V example in Section 5 and supporting theoretical results are presented in Section 6.
4.1. Off-line computations The off-line computations identify particular paths of places in the CMG model of the manufacturing system to be monitored by the on-line controller. The following definitions and notation are used to describe these computations. Given a controlled marked graph ~3= {~, if-, ~, q¢, ~3, m0} a path is defined as a sequence of places along a directed path in the Petri net graph which does not contain any node more than once. The input transition to the first place in a path ~r will be denoted by t~ and the set of control places connected to t~ will be denoted by C~. Given two paths ~r~, Jr"2 in ~3, the notation st1 ~ .7l(2 indicates that path ~r2 contains
path ~rl, that is, all of the places in Zrl are also in :r2. Given a path :r and a marking m • JR, the weight of path z~ under marking m, denoted by w~(m), is defined as the sum of tokens in the places in az under the marking m. Given a transition t • 3- and place p • ~, II(t, p) denotes the set of paths emanating from transition t and terminating with place p. Note that H(t, p) will be empty if and only if t and p are not in the same strongly connected component of the CMG. (All places and transitions are in strongly connected components since the CMG is covered by directed cycles.) We then define the set of paths IIc(t,p)~_ H(t, p) as rIc(t, p ) = (~z • H(t, p ) I if t' • T is in ~r, then t' ~ T~}, where a transition is said to be in a path Jr if it is connected to two places in :r. In words, II~(t, p ) is the set of paths from transition t to place p that do not contain controlled transitions. Given an initial marking mo • d~, we let H*(t, p, mo) denote the set of paths in He(t, p ) with minimal weight under the marking m0; that is, H*(t, p, too) = {~r • H~(t, p) [ w~(mo) <- w~,(mo) for all Jr' • FI*(t, p)}. For each place p • P , we associate a set of controlled transitions, T~(p), defined by
Tc(p) = {t • T~ I n~(/, p ) 4: O}. Hence, T~(p) is the set of controlled transitions from which there exists at least one path to the place p that does contain another controlled transition. With the above definitions and notation, the off-line computations for a given C M G and a collection ~ of set conditions are summarized as follows: 1. Let ~ denote the set of all places in the set conditions in ~. 2. For each p • ~ and each t • J-~, compute the sets He(t, p ) and H*(t, p, m0). 3. For each p • ~ , compute the set T~(p). 4. For each t•Tc(p), choose one path in H * ( t , p , m0) to define a set of paths I I * ( p ) (with rI*(p)= o if T~(p) = 0). 5. For each path er • Fl*(p), let C~ c qg be the set of control places connected to transition t~. The off-line computations generate a set of paths H * ( p ) for each place p appearing in some set condition (F, k ) • ~, along with the sets of control input places C~ associated with the transitions t~ at the beginnings of each of the paths in H*(p). We note that the sets of minimal
Synthesis of feedback control logic weight paths in step 2 above can be computed using Floyd's algorithm for computing the matrix of shortest paths in a graph (Floyd, 1962). 4.2. On-line computations The on-line operations consist of evaluating a set of predicates which are defined in terms of the weights of the paths generated by the off-line computations. These predicates are defined as follows. Given a path ~z and a marking m • M: A ~ ( m ) : = {~
if w~(m) > 0 otherwise
and A,~(m) :=
{10 if t,~ is state enabled under m otherwise.
Given a place p • P ~ for a collection of set conditions f f and the set of paths H*(p) from the off-line computations, i Ap(m) :=
if II*(p) = •, or A~(m) = 1 for all Jr • H*(p) otherwise
and Ap(m) :=
1 if Ap(m) = 0 and A~(m) v A,~(m) -- 1 for all :r • II*(p) 0 otherwise.
In words, Ap(m) is true when place p can become marked uncontrollably, that is, no control action can keep p from eventually being marked. Ap(m) is true when the marking is a so-called boundary marking for the place p, which means that Ap(m) can become true on the next transition if some transitions in T~(p) are not control-disabled. Given these definitions, the on-line control algorithm consists of evaluating the following sets of places for each set of places F in the collection of set conditions ~:
Le(m): = {p • F ] Ap(m) = 1} and BF(m):= {p • F ] Ap(m) = 1}. In words, Le(m ) is the set of places in F which can become marked uncontrollably; and BF(m) is the set of places in F which can become uncontrollably marked following the next state transition unless one of a particular set of controlled transitions is disabled. In the terminology of Holloway and Krogh (1990), BF(m) is the set of places for which m is a boundary
marking. Once the above sets have been identified for a marking m • ut/, the maximal set of admissible controls U~,(m) can be completely characterized as follows. Given a control u • ~ , for each set of places F in a set condition in ,~ define the set of
647
places
De(m, u ) : = {p c Be(m) I 3~r • I-l*(p) such that A~(m) = 1 and u(c) = 0 for some c • C,~}. DF(m, u) is the set of places in Be(m) which cannot become marked uncontrollably following the next transition if the control u is applied since u disables at least one controlled transition associated with a boundary-marked path leading to place p. Under a mild technical assumption on the set conditions in ~, we show in Section 6 that the maximal set of admissible controls Us is given by:
Us(m) = {u • ~ [ V(F, k) • ~, IOe(m, u)l - ILr(m)l + IBF(m)I -- k ). Thus, the maximally permissive feedback policy is completely determined by the paths 1-l*(p) for each p • P~ with the corresponding sets of controls C,~ and predicates A~(m), and the sets LF(m) and Be(m) for each F in a set condition in ~. Given this information, it is straight forward to test whether a control u is admissible using the definition of De(m, u) given above for each F. We note that the set of admissible controls U~,(m) as defined above is nonempty if and only if the marking m is an admissible state. This follows immediately from the fact that m is admissible if and only if ILe(m)l -< k for each set condition (F, k) • ~. Given a collection of set conditions ,~, and the results from the off-line computations (i.e. the set of paths H*(p) for each place p • ~ , and the sets of control input places C,~ associated with each of the paths in H*(p)), the on-line computations for a given marking m • ~/~ are summarized as follows: 1. For each p • ~ : (a) Evaluate the predicates A,~(m) and A,~(m) for each ~r • H*(p) (b) Evaluate the predicates Ap(m) and Ap(m). 2. For each (F, k) • ~, evaluate the sets LF(m) and Br(m). 3. If I L F ( m ) l > k for any ( F , k ) • ~ , then m ~MF and no control exists that will guarantee a forbidden state will not be reached. The results of these computations, namely, the predicates A~(m) and the sets LF(m) and Be(m), along with the results of the off-line computations, are passed to the algorithm that selects the particular control to be applied for the current state m. The control selection algorithm can evaluate whether a candidate control u • q/ is admissible with respect to the
648
B.H.
KROGH and L. E. HOLLOWAY
forbidden state specifications using the definitions of De(m, u) and U~(m) given above. The inherent bit-level parallelism of digital computers can be exploited to perform the on-line computations very quickly. If the places in the CMG model of the manufacturing system are indexed, the current state of the system can be represented by a simple binary vector. Similarly, each path ar ~ H * ( p ) , for each p • ~ , can be represented as a binary vector, with bit values of one for each p • :r. The predicate A,.(m) can then be evaluated by performing a bit-level Boolean A N D of the path vector and the state vector. A nonzero evaluation means the path is marked and so A , , ( m ) - - 1 . Similar bit-level Boolean operations can be used to evaluate the predicates A,~(m) and the sets Lr(m) and BF(m ). Consequently, the time required for the on-line computations is negligible with respect to the usual time-scales involved in the supervisory control of discrete manufacturing systems. 5. APPLICATION TO THE AGV EXAMPLE
To illustrate the off-line and on-line computations, we reconsider the A G V example of Fig. 2. Recall from Section 4 that there are four forbidden set conditions, each corresponding to a zone in which A G V s may potentially collide. These conditions are (El, kl) =
({PAz, PAs, PB2,PB,3}, 1),
(F2, kz) = ({Pro, Pn,,, Po~, Po,}, 1), (F3, k3) = ({p,~,
PB,, Pe:, Pc,}, 1),
(/74, k4) = ({PE4,
PE7, PF2,PEr}, 1).
and $; is then the set containing each (F, k) pair above. The off-line computations begin by determining the set ~ , which is the union of all places in the F conditions specified above. Given an initial marking m0, we compute for each p • ~ the sets Hc(t, p) and l-Ic*(t,p, m0) to determine the sets H * ( p ) , T~(p), and C,,, Vat • II*(p). For example, for the place PB,3 there exists only one path ar'=(pa,pB,oPBupn,:pB,) in the union of all H¢(t, pB,) and consequently for any initial marking too. Thus IIc(ta, PB,) = 1-I*(t4, PB,, m0) = n*(p~,3) = {zr'} for any m0, and H~(t, PB,) = FI*(t, pn,~, rn0) = Q~ for all t ve t4. From this, we find T~(pB,)={t4}, and C~, = {c~}. To illustrate the on-line operations, we use the marking m illustrated in Fig. 2, and briefly examine three different situations using three of the forbidden set conditions (i.e. three shared zones). First we consider (F1, kl) for shared zone
1. For /71 under m the only nonzero place predicate is ApB,~(m) = 1. Consequently, LFl(m) = 0 and By, = {PB~3}. Since JLF,(m)I + IBv~(m)l- kl = 0, then no places in BF(m) must be prevented from becoming marked, and so no controls need to be disabled to prevent the forbidden condition F1 from occurring. For shared zone 2, the only nonzero place predicates are ApDs(m) = Ap,,(m) = 1. Thus, LF2(m) =Q, BF2(m)= {Pos, PB,,}" We must disable from being marked a total of ILv2(m)t + IBF2(m)I -- k2 = 1 places to prevent the forbidden condition F2 from occurring. Note that any control u such that u(c4)--0 (for PBI,) or u(c6) = 0 (for PD,) will result in a IDF2(m,u)l --> 1 and be satisfactory. This represents the choice of preventing either A G V B or A G V D from approaching the zone. Finally, we examine shared zone 4. The only nonzero place predicates are Am~(m ) = ApE4(m)= 1. We find that LF, = {PF~}, BF, = {Pc4}, and tLF,(m)I -- tnF~(m)l -- k4 = 1. Thus, we must choose a control u such that some place in BF,(m) will not become marked, i.e. such that DF,(m, u) -- 1. Since BF~(m) contains only place PE~ and the only control for any path for the place is c7, then any control u which will prevent the occurrence of the forbidden condition (F4, 1) must have U(CT)= 0. Note that to determine whether a control is satisfactory only requires simple on-line determination of some predicates and sets. These operations permit the testing of a control to see if it is satisfactory for preventing forbidden conditions from occurring, without ever determining the connectivity of the state space. In the A G V example, as well most other nontrivial systems, the state-space can be very large. The above example has well over a million states, and computing and storing the connectivity between each state under all possible controls would be computationally prohibitive. Even the specification of the forbidden states would be nontrivial in the state-space. In contrast, modeling in the CtlPN framework allows an intuitive specification of the forbidden conditions and leads to an computationally efficient on-line algorithm for evaluating the set of admissible controls. 6. THEORETICAL RESULTS
In this section we demonstrate that the expression given for U~ in Section 4 characterizes the maximal set of admissible controls for any admissible marking m • M~, provided the collection of set conditions f f satisfies the following assumption which is similar to the precedence path input condition (ppic) defined
Synthesis of feedback control logic for set conditions in Holloway and Krogh (1990): Specification assumption (SA). Given ~ 2v x Z +, if p, p' • F, p 4:p', for any (F, k) • ~, then for any zr•Flc(t,p) for t•T~(p) or (p, t) • ~, (i) p' ~ zr and (ii) p ' is not an input state place to t~. This assumption states that no place in a set condition is an input to, or contained in, one of the controlled paths leading to another place in the same set condition. In the following we assume the collection of forbidden set specifications satisfies the SA. To prove U~ is the desired maximally permissive feedback policy for a forbidden state specification ~, we construct an equivalent forbidden state specification ~* to which the algorithm from Holloway and Krogh (1990) can be applied. We then show that for any admissible state m, U~(m) is in fact equal to the set of controls which are less than or equal to the maximally permissive controls generated by the algorithm in Holloway and Krogh (1990) for the set condition in ~*. We begin by defining the forbidden state specification ~* for a given collection of set conditions ~. For each (F, k ) • ~, let ~F,~) denote the collection of ( IFI ~ subsets of F of
\k+l/
cardinality k + 1. (Recall that IFI > k.). Define ~:* as the union of the collections of sets ~ ' , k ) over all (F, k) • ~ and let M~. denote the set of forbidden markings specified by the sets in ~* as defined in Holloway and Krogh (1990); i.e. ~* is a so-called class condition that defines the set of forbidden markings given by M ~ . : = {m • d/[ 3F* • ~* such that m(p) = 1 for all p • F*}. It is easily verified that M~. = M~, the set of forbidden markings specified by the collection of (generalized) set conditions ~. Therefore, the maximal set of admissible controls for a given admissible marking is the same for both specifications. It can also be easily shown that the class condition ~* as defined above satisfies the so-called ppic condition in Holloway and Krogh (1990) if and only if the collection of set conditions ~: satisfies the SA. We claim that the predicates Ap(m) and Av(m ) defined in the present paper are equivalent to the predicates with the same names defined in Holloway and Krogh (1990). In that paper, these predicates were defined in terms of the set of so-called precedence paths, denoted by Hp, for a given place p • ~ . In terms of the notation of the present paper, Hp is the set of all paths from some (controlled) transition in Tc(p)
649
to the place p which do not contain another controlled transition. In the present paper, the predicates Ap(m) and Ap(m) are defined in terms of only a single minimal weight path under the initial marking from each transition in T~(p). Thus, in the present paper we evaluate the predicates Ap(m) and Ap(m) using only a subset rI*(p) ~ lip of the paths used in Holloway and Krogh (1990). The fact that it is sufficient to monitor only paths which are minimal weight paths under the initial marking follows from the following lemma.
Lemma 1. Given a CMG ~ = {~, 3-, ~, ~ , m0} and the set of paths rI(t,p) from a transition t • ff and p • ~, if .Tt'l, lr 2 • H(t, p), then w~,(m) - w,~:(m)=--w~,(mo) - w,:(mo) for all m • ~(U ....
mo).
Proof. We assume rI(t, p ) ~ 0, since the lemma is trivially true when Fl(t, p ) = Q. Murata et al. (1982) showed that the total number of tokens in a closed-edge sequence for a marked graph is invariant over the set of reachable markings, where a closed-edge sequence is any directed sequence of nodes (places and transitions) beginning and terminating at the same node. Given place p and transition t, let t' be the output transition from place p, let p ' be any input place to transition t, and choose : r ' • rI(t',p'). Such a zr' exists since t' and p' are necessarily in the same strongly connected component of ~. Then for any paths :rl, zr2 • rI(t, p), the sequences of places zrl~r' and zr2zr' each constitute a sequence of places along a closed-edge sequence in G. Therefore, by the result of Murata et al. (1982): (i) w~,,,,(m)=w~,~,(mo) and (ii) w~,~,(m)~ w~,(mo) for all m • ~=(u .... m0), where w~,~,(m):=w~,(m) + w~,(m), i = 1, 2. The lemma follows by subtracting (ii) from (i) above. [] This lemma implies that for any transition t • 3 and place p • ~, if w~,(mo) >- w~2(mo) for two paths zrl, : r 2 • H ( t , p ) , then w~,(m)>w~2(m) for any reachable marking m. Thus, it is sufficient to monitor only the paths in H*(p) to evaluate the predicates Ap(m) and Ap(m). Given this observation, we have the following result.
Theorem 1. Given a CMG ~3= {~, 3-, ~, ~ , m0} and a forbidden marking specification ~ 2e× Z ÷ satisfying SA, the U~ as defined above in Section 4 is the maximally permissive feedback policy for the set of forbidden states M~.
650
B.H.
KROGH and L. E. HOLLOWAY
Proof. Given the collection of set conditions ,~, let 0%* be the equivalent class condition specification for the algorithm in Holloway and Krogh (1990), as defined in the beginning of this section. Given an admissible state m • ~¢~, let U'~.(m) denote the (nonempty) set of controls satisfying Theorem 7 in Holloway and Krogh (1990); that is, U'~.(m) is the set of maximally permissive controls for the state m. Thus, letting U~.(m) denote the maximal set of admissible controls at state m, we have U~,(m) = {u e oR I u <-u* for some u* e U).(m)}. The statement of the theorem is therefore equivalent to showing that Us(m) =- U~.(m) for any admissible state m. To show Us(m)~_ U~.(rn), it is sufficient to show that any u • Us(m) satisfies condition (1) of Theorem 7 of Holloway and Krogh (1990). Suppose this is not the case for some u • U~(m). This would imply there exists some F* • ~* such that: (i) Ap(m) v Ap(m)= 1 for all p • F*; (ii) A , ( m ) = 0 for at least one p eF*; and (iii) Vp • F* such that A?(m) = 1, if ~ e II*(p) and A~(m) = 1, then u(c) = 1 for all c • C~. Now, from the definition of ~*, F * e O~F.k) for some (F, k) • ~. Therefore, from (i) above it follows that F* = Lv(m) U BF(m). Moreover, (ii) above implies F* N By(m) 4=Q, and (iii) above implies u(c)=-1 for all c e C~, • H*(p), p e F* N Bv(m). These observations imply that IDF(m, u ) l - tBF(m) -- F*I. But IBF(m) -- F*I -< IBp(m) tO Lv(m ) -- F*I = IBF(m)I + ILF(rn)l- (k + 1), which implies that IOF(m, U)I < InF(m)l + IZ~-(m)l - k. This final inequality contradicts the assumption u e U~(m). Therefore, U~(m) ~_ U~,.(m). We show next that the maximally permissive controls in U'~.(m) are in U~(m). Suppose this is not the case; i.e. suppose there exists a control u*e U'~.(m) [that is, a control that satisfies Theorem 7 of Holloway and Krogh (1990)], but u*qE Us(m). This would imply that there exists some (F, k) • ~ such that IOF(m, u)l < IBF(m)I + ILF(m)I - k. Note that this inequality implies BF(m)-DF(m, U) 4: Q, since m e MF implies ILF(m)I --<
k. Now, define the set of places B' as B' = Lr(m) tO Be(m) -- De(m, u). We note that IB'I -> k + 1 since In'l = IZF(m)l + I n F ( m ) l - IOF(m)l > k . Choose any F* c B' such that IF*I = k + 1 and BF(m) f3 F* 4: f~. Then F* e ~:(*F,k). From the construction of F* we have: (i) Ap(m) v Ap(m) = 1 for all p e F * ; (ii) A p ( m ) = 0 for at least one p e F * ; and (iii) Vp e F * such that Ap(m) = 1, if :r e H*(p) and A~(m) = 1, then u*(c)--1 for all c eC~. But this means the control u* violates condition (1) of Theorem 7 in Holloway and Krogh (1990), which contradicts the assumption u* e U'~.(m). Therefore, U'~.(m) ~ Us(m). Finally, we note that it follows immediately from the definition of Us(m) that if u e U~(m) and u'<-u, then u ' e Us(m). Hence we have that U~.(m) ~ U~(m) since U~(m) contains the maximal elements of U~.(m). []
7. C O N C L U S I O N S
In this paper we present the formulation and solution of forbidden state problems for discrete manufacturing systems modeled by cyclic controlled marked graphs (CMGs). Due to the distributed representation of the system state in terms of the net marking, CMGs provide a compact, intuitive modeling framework for describing the state transition dynamics of the manufacturing system as well as the forbidden state specifications. More importantly, the graphical representation of the system allows us to obtain an efficient method for synthesizing state feedback control logic which solves the forbidden state problem. Our empirical computational results effectively demonstrate that our algorithm is very efficient relative to the exhaustive search methods proposed previously. The results presented in this paper are an initial step towards a comprehensive set of tools for synthesizing manufacturing control systems. Although many manufacturing control problems can be solved by intuition or with applicationspecific algorithms, the CtlPN model provides a formal framework for computer-based analysis and control synthesis. In contrast to heuristic solutions which must be tested and debugged, an algorithmic approach to control logic synthesis guarantees correctness and completeness of the solution. The solution of the maximally permissive state feedback control problem characterizes the entire set of necessary and sufficient controls for which the forbidden states will be avoided. The
Synthesis of feedback control logic nonuniqueness of the maximally permissive controls indicates additional design freedom which can be exploited to satisfy other performance objectives. On-line or off-line analysis could be applied to select a specific control input to achieve the desired system response. A major advantage of the control synthesis procedure is that it is based on the model of the open-loop system dynamics and a specification of the desired closed-loop behavior. Thus, new controls can be computed quickly and automatically when the system is modified or the control objectives are changed. There are directions for future research. Conditions for liveness of the closed-loop system under maximally-permissive control were obtained recently (Holloway and Krogh, 1989). We are currently investigating the complexity of the off-line and on-line computations. To broaden the applicability of the algorithm presented in this paper, methods need to be developed for translating classes of operational specifications for manufacturing systems into forbidden state problems. We are also interested in extending the CMG framework to address problems involving branching in the operation sequences, such as error recovery and alternative control flows. This research is supported in part by North American Philips Corporation and by the U.S. National Science Foundation under grant number DMC-8451493.
651
REFERENCES Dubois, D. and K. Stecke (1983). Using Petri nets to represent production processes. Proc. 1983 IEEE Conf. on Decision and Control, pp. 1062-1067. Floyd, R. W. (1962). Algorithm 97; shortest path. Comm. ACM, 5, 345. Hillion, H. P. and J-M. Proth (1989). Performance evaluation of job-shop systems using timed event-graphs. IEEE Trans. Aut. Control, AC-34, 3-9. Holloway, L. E. and B. H. Krogh (1989). On closed-loop liveness of discrete event systems under maximally permissive control. 1989 IEEE Conf. on Decision and Control, Tampa, Florida. Holloway, L. E. and B. H. Krogh (1990). Synthesis of feedback control logic for a class of controlled Petri Nets systems. IEEE Trans. Aut. Control, AC-35, 514-523. Ichikawa, A. and K. Hiraishi (1988). Analysis and control of discrete event systems represented by Petri nets. Discrete Event Systems: Models and Applications, Springer, New York. Krogh, B. H. (1987). Controlled Petri nets and maximally permissive feedback logic. Proc. 25th Annual Allerton Conf., University of Illinois, Urbana. Murata, T., V. B. Le and D. J. Leu (1982). A method for realizing the synchronic distance matrix as a marked graph. Proc. 1982 IEEE Int. Syrup. on Circuits and Systems. Rome, pp. 609-611. Perkins, J. R. and P. R. Kumar (1989). Stable, distributed, real-time scheduling of flexible manufacturing/assembly/ disassembly systems. IEEE Trans. Aut. Control, AC-34, 139-148. Ramadge, P. J. and W. "M. Wonham (1987a) Supervisory control of a class of discrete-event processes. S l A M J. Control Optimiz. 25, 206-230. Ramadge, P. J. and W. M. Wonham (1987b). Modular feedback logic for discrete-event systems. S l A M J. Control Optimiz. 25, 1202-1218. Reisig, W. (1982). Petri Nets. Monographs on Theoretical Computer Science. Springer, New York.